Issuing SAML Assertions hard-coded in the RADIUS Server

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Feb 13, 2017 by Stefan Paetow
2 min read

  1. Create the file /etc/freeradius/policy.d/moonshot (on RHEL platforms, create /etc/raddb/policy.d/moonshot):

    moonshot_saml.post-auth { 
    if (&request:Realm == 'YOUR_REALM_HERE') {
        update reply {
            SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
            SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
            SAML-AAA-Assertion += '<saml:AttributeStatement>'
            SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
            SAML-AAA-Assertion += '</saml:AttributeStatement>'
            SAML-AAA-Assertion += '</saml:Assertion>'
        }
    }
}

    Example

    Camford University's SAML assertion would look like this:

    moonshot_saml.post-auth { 
    if (&request:Realm == 'camford.ac.uk') {
        update reply {
            SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
            SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
            SAML-AAA-Assertion += '<saml:AttributeStatement>'
            SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
            SAML-AAA-Assertion += '</saml:AttributeStatement>'
            SAML-AAA-Assertion += '</saml:Assertion>'
        }
    }
}

  2. In /etc/freeradius/sites-enabled/abfab-tr-idp, find the post-auth section. At the top, insert onto its own line the following:

    if (&request:GSS-Acceptor-Service-Name != 'trustidentity') && (&request:Realm == 'YOUR_REALM_HERE') {
        moonshot_saml

}
    You can adjust where you want to call the policy that inserts the Moonshot policy, as long as it is called in the post-auth section.
  3. If you use non-TLS connections for Moonshot, you may wish to repeat Step 2 in /etc/freeradius/sites-enabled/default.

  4. Restart FreeRADIUS.