Principal-Id Attribute

Registered CAS applications are given the ability to allow for configuration of a username attribute provider, which controls what should be the designated user identifier that is returned to the application. The user identifier by default is the authenticated CAS principal id, yet it optionally may be based off of an existing attribute that is available and resolved for the principal already.

More practically, username attribute provider is translated and applied in the context of the authentication protocol that is used. For example, this component determines what should be placed inside the <cas:user> tag in the final CAS validation payload that is returned to the application when the authentication flow is in the context of the CAS protocol. Each authentication protocol supported by CAS might have an equivalent concept (i.e. SAML2 NameID or OpenID Connect sub claim) that is then mapped and translated by the username attribute provider.

:warning: Principal Id As Attribute

You may also return the authenticated principal id as an extra attribute in the final CAS validation payload, typically when using the CAS protocol. See this guide to learn more.

A number of providers are able to perform canonicalization on the final user id returned to transform it into uppercase/lowercase. This is noted by the canonicalizationMode whose allowed values are UPPER, LOWER or NONE.


The following providers are available to produce usernames.

Provider Description
Default See this guide.
Attribute See this guide.
Groovy See this guide.
Anonymous See this guide.
Encrypted See this guide.
Static See this guide.