/
Issuing SAML Assertions hard-coded in the RADIUS Server

Issuing SAML Assertions hard-coded in the RADIUS Server

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Feb 13, 2017 by Stefan Paetow

  1. Create the file /etc/freeradius/policy.d/moonshot (on RHEL platforms, create /etc/raddb/policy.d/moonshot):

    moonshot_saml.post-auth { 
    if (&request:Realm == 'YOUR_REALM_HERE') {
        update reply {
            SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
            SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
            SAML-AAA-Assertion += '<saml:AttributeStatement>'
            SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
            SAML-AAA-Assertion += '</saml:AttributeStatement>'
            SAML-AAA-Assertion += '</saml:Assertion>'
        }
    }
}

    Example

    Camford University's SAML assertion would look like this:

    moonshot_saml.post-auth { 
    if (&request:Realm == 'camford.ac.uk') {
        update reply {
            SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
            SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
            SAML-AAA-Assertion += '<saml:AttributeStatement>'
            SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
            SAML-AAA-Assertion += '</saml:AttributeStatement>'
            SAML-AAA-Assertion += '</saml:Assertion>'
        }
    }
}

  2. In /etc/freeradius/sites-enabled/abfab-tr-idp, find the post-auth section. At the top, insert onto its own line the following:

    if (&request:GSS-Acceptor-Service-Name != 'trustidentity') && (&request:Realm == 'YOUR_REALM_HERE') {
        moonshot_saml

}
    You can adjust where you want to call the policy that inserts the Moonshot policy, as long as it is called in the post-auth section.
  3. If you use non-TLS connections for Moonshot, you may wish to repeat Step 2 in /etc/freeradius/sites-enabled/default.

  4. Restart FreeRADIUS.

 

Related content

Issue SAML Assertions
Issue SAML Assertions
Moonshot
More like this
Issue Pseudonymous Identifiers
Issue Pseudonymous Identifiers
Moonshot
More like this
Configure an Identity Provider
Configure an Identity Provider
Moonshot
More like this
The FreeRadius Moonshot SAML module
The FreeRadius Moonshot SAML module
Moonshot
More like this
_TIDC_FR_Prep_RHEL
_TIDC_FR_Prep_RHEL
Templates
More like this
Using the FreeRADIUS Users File
Using the FreeRADIUS Users File
Moonshot
More like this