WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Principal-Id Attribute
Registered CAS applications are given the ability to allow for configuration of a username attribute provider, which controls what should be the designated user identifier that is returned to the application. The user identifier by default is the authenticated CAS principal id, yet it optionally may be based off of an existing attribute that is available and resolved for the principal already.
More practically, username attribute provider is translated and applied in the context of the authentication protocol that is used. For example, this
component determines what should be placed inside the <cas:user> tag in the final CAS validation payload that is returned to the
application when the authentication flow is in the context of the CAS protocol. Each authentication protocol supported by CAS might have an equivalent
concept (i.e. SAML2 NameID or OpenID Connect sub claim) that is then mapped and translated by the username attribute provider.
Principal Id As AttributeYou may also return the authenticated principal id as an extra attribute in the final CAS validation payload, typically when using the CAS protocol. See this guide to learn more.
A number of providers are able to perform canonicalization on the final user id returned to transform it
into uppercase/lowercase. This is noted by the canonicalizationMode whose allowed values are UPPER, LOWER or NONE.
Providers
The following providers are available to produce usernames.
| Provider | Description |
|---|---|
| Default | See this guide. |
| Attribute | See this guide. |
| Groovy | See this guide. |
| Anonymous | See this guide. |
| Encrypted | See this guide. |
| Static | See this guide. |