Skip to end of metadata
Go to start of metadata
  1. Create the file /etc/freeradius/policy.d/moonshot (on RHEL platforms, create /etc/raddb/policy.d/moonshot):

    moonshot_saml.post-auth { 
        if (&request:Realm == 'YOUR_REALM_HERE') {
            update reply {
                SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
                SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
                SAML-AAA-Assertion += '<saml:AttributeStatement>'
                SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
                SAML-AAA-Assertion += '</saml:AttributeStatement>'
                SAML-AAA-Assertion += '</saml:Assertion>'
            }
        }
    }

    Example

    Camford University's SAML assertion would look like this:

    moonshot_saml.post-auth { 
        if (&request:Realm == 'camford.ac.uk') {
            update reply {
                SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
                SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
                SAML-AAA-Assertion += '<saml:AttributeStatement>'
                SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
                SAML-AAA-Assertion += '</saml:AttributeStatement>'
                SAML-AAA-Assertion += '</saml:Assertion>'
            }
        }
    }
  2. In /etc/freeradius/sites-enabled/abfab-tr-idp, find the post-auth section. At the top, insert onto its own line the following:

    if (&request:GSS-Acceptor-Service-Name != 'trustidentity') && (&request:Realm == 'YOUR_REALM_HERE') {
            moonshot_saml
    
    }
    You can adjust where you want to call the policy that inserts the Moonshot policy, as long as it is called in the post-auth section.
  3. If you use non-TLS connections for Moonshot, you may wish to repeat Step 2 in /etc/freeradius/sites-enabled/default.

  4. Restart FreeRADIUS.