Principal-Id Attribute
Registered CAS applications are given the ability to allow for configuration of a username attribute provider, which controls what should be the designated user identifier that is returned to the application. The user identifier by default is the authenticated CAS principal id, yet it optionally may be based off of an existing attribute that is available and resolved for the principal already.
More practically, username attribute provider is translated and applied in the context of the authentication protocol that is used. For example, this
component determines what should be placed inside the <cas:user>
tag in the final CAS validation payload that is returned to the
application when the authentication flow is in the context of the CAS protocol. Each authentication protocol supported by CAS might have an equivalent
concept (i.e. SAML2 NameID
or OpenID Connect sub
claim) that is then mapped and translated by the username attribute provider.
You may also return the authenticated principal id as an extra attribute in the final CAS validation payload, typically when using the CAS protocol. See this guide to learn more.
A number of providers are able to perform canonicalization on the final user id returned to transform it
into uppercase/lowercase. This is noted by the canonicalizationMode
whose allowed values are UPPER
, LOWER
or NONE
.
Providers
The following providers are available to produce usernames.
Provider | Description |
---|---|
Default | See this guide. |
Attribute | See this guide. |
Groovy | See this guide. |
Anonymous | See this guide. |
Encrypted | See this guide. |
Static | See this guide. |