Attribute Release Policies

The attribute release policy decides how attributes are selected and provided to a given application in the final CAS response. Additionally, each policy has the ability to apply an optional filter to weed out their attributes based on their values.

The following settings are shared by all attribute release policies:

Name Value
authorizedToReleaseCredentialPassword Boolean to define whether the service is authorized to release the credential as an attribute.
authorizedToReleaseProxyGrantingTicket Boolean to define whether the service is authorized to release the proxy-granting ticket id as an attribute.
excludeDefaultAttributes Boolean to define whether this policy should exclude the default global bundle of attributes for release.
authorizedToReleaseAuthenticationAttributes Boolean to define whether this policy should exclude the authentication/protocol attributes for release. Authentication attributes are considered those that are not tied to a specific principal and define extra supplementary metadata about the authentication event itself, such as the commencement date.
principalIdAttribute An attribute name of your own choosing that will be stuffed into the final bundle of attributes, carrying the CAS authenticated principal identifier.
:warning: Usage Warning!

Think VERY CAREFULLY before turning on the above settings. Blindly authorizing an application to receive a proxy-granting ticket or the user credential may produce an opportunity for security leaks and attacks. Make sure you actually need to enable those features and that you understand the why. Avoid where and when you can, specially when it comes to sharing the user credential.

CAS makes a distinction between attributes that convey metadata about the authentication event versus those that contain personally identifiable data for the authenticated principal.

Actuator Endpoints

The following endpoints are provided by CAS: