Merge branch 'release/25.0.0'

Author: cslzchen

.github/workflows/build.yml

@@ -18,13 +18,13 @@ jobs:
         with:
           java-version: 11
       - name: Cache SonarCloud packages
-        uses: actions/cache@v1
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Cache Gradle packages
-        uses: actions/cache@v1
+        uses: actions/cache@v4
         with:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+25.0.0 (09-10-2025)
+===================
+
+* Handle duplicate and multiple SSO emails during institution login
+* Add new and sync existing server config files
+* Fix GitHub Action
+
 24.1.0 (08-09-2024)
 ===================
 

etc/cas/config/attribute-map-prod.xml

@@ -0,0 +1,250 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- Overridden by UOM SelectiveSsoFilter -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    -->
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+    -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
+    <!--
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- Active Directory Federation Services (ADFS 2.x) -->
+    <!-- University of Cape Town (UCT) and Boys Town (BT) -->
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="mail" />
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="displayName" />
+    <Attribute name="http://schemas.microsoft.com/identity/claims/displayname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="displayName" />
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="givenName" />
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="sn" />
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="upn" />
+    <Attribute name="http://schemas.microsoft.com/identity/claims/objectidentifier" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="oid" />
+
+    <!-- Institut Teknologi Bandung (ITB) -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+
+    <!-- East Carolina University (ECU) -->
+    <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ecudepartment" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="department" />
+
+    <!-- This is the attribute for eduPersonPrimaryOrgUnitDN. Institutions may or may not use this in DN (distinguished name) format -->
+    <!-- Instituitons that use eduPersonPrimaryOrgUnitDN as text/string - OKSTATE -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="department"/>
+    <!-- Institutions that use eduPersonPrimaryOrgUnitDN as DN - None -->
+    <!-- Institutions that use customized attribute for the department attribute -->
+
+    <!-- University of Arizona (UA) -->
+    <!--
+        The attribute that UA released has a friendly name "employeePrimaryDeptName". However, OSF Shibboleth maps the
+        OID directly to "department" for institutions-auth.xsl (OSF CAS) to use for XML tranformation. Thus, there is
+        no need to track what friendly name each institution use for department in that XSL file.
+    -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5643.10.0.52" id="department"/>
+
+    <!-- University of British Columbia (UBC)  -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.60.1.7.1" id="persistent-id"/>
+
+    <!-- University of Southern California (USC) -->
+    <Attribute name="urn:mace:usc.edu:gds:attribute-def:uscEmailPrimaryAddress" id="mailOther"/>
+    <Attribute name="urn:mace:usc.edu:gds:attribute-def:uscDisplayGivenName" id="uscDisplayGivenName"/>
+    <Attribute name="urn:mace:usc.edu:gds:attribute-def:uscDisplayMiddleName" id="uscDisplayMiddleName"/>
+    <Attribute name="urn:mace:usc.edu:gds:attribute-def:uscDisplaySn" id="uscDisplaySn"/>
+
+    <!-- Virginia Commonwealth University (VCU) -->
+    <!-- The attribute that VCU released has a friendly name "vcuEduPersonDepartment", which OSF Shibboleth doesn't use. -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.10384.0.0.3.1" id="department"/>
+
+    <!-- Georgia Institute of Technology (GATECH) -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.636.2.11.1.56" id="department"/>
+
+    <!-- Vrije Universiteit Amsterdam (VUA) -->
+    <Attribute name="urn:mace:dir:attribute-def:eduDepartment" id="department"/>
+
+    <!-- Princeton University (PU) -->
+    <Attribute name="urn:oid:1.2.840.113556.1.2.141" id="department"/>
+
+    <!-- Selective SSO Filter Attribute -->
+    <!-- University of Manchester (UOM) -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="selectiveSsoFilter"/>
+    <!-- Yale Law School (YLS) -->
+    <Attribute name="isMemberOfYLS" id="selectiveSsoFilter"/>
+
+    <!-- Harvard University (HARVARD) -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.6341.610.1.2.1.175" id="mail"/>
+    <Attribute name="urn:mace:harvard.edu:iam:common:full_name" id="displayName"/>
+
+    <!-- Ferris State University -->
+    <Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="uid" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/emailaddress" id="mail" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/lastname" id="sn" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/givenname" id="givenName" />
+
+    <!-- Shared SSO Filter Attribute for FSU and NationalMagLab -->
+    <Attribute name="urn:fsu:names:SAML:attribute:fsuEduAppRoles" id="userRoles"/>
+
+    <!-- Spanish National Research Council (CSIC) -->
+    <Attribute name="urn:mace:rediris.es:attribute-def:irisMailMainAddress" id="mailOther"/>
+
+    <!-- Active Directory Federation Services (ADFS 1.x) -->
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="CommonName" id="cn"/>
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="GivenName" id="givenName"/>
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="Surname" id="sn"/>
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="EmailAddress" id="mailOther"/>
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="UPN" id="upn"/>
+    <Attribute nameFormat="http://schemas.xmlsoap.org/claims" name="Group" id="group"/>
+
+    <!-- Macquarie University (MQ) -->
+    <!--
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="persistent-id" id="persistent-id" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="mail" id="mail" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="displayName" id="displayName" />
+    -->
+
+    <!-- Albion -->
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/mail" id="mail" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/displayName" id="displayName" />
+    <Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="http://wso2.org/claims/userprincipal" id="eppn" />
+
+    <!-- Customized Institutional Identity Attribute -->
+    <!-- Washington University in St. Louis (WUSTL) -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.14519.1.1" id="institutionalidentity"/>
+
+</Attributes>