Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Once the Moonshot Libraries have been installed on a Server and they have been configured to connect to a local Moonshot RP Proxy, they need to be configured to resolve attributes received in the Moonshot SAML assertion or RADIUS attributes to something the local service can do something with.

Contents

Table of Contents


Introduction


The Moonshot GSS mechanism exports the attributes received in the SAML Assertion (see Issue SAML Assertions) and RADIUS Access-Accept messages as GSS Name Attributes, as described in RFC 7056.

While some applications might be able to consume these Name Attributes directly, some others might require that a well-known attribute is sourced, so they can consume it without having to understand every possible name. An example of the latter is OpenSSH, where an attribute called local-login-user is checked to obtain the name of the account the authenticated user is authorised to access.

The Moonshot software provides two different ways to perform attribute mapping (that is, the generation of an attribute using another attribute's value). The first one uses (included in the moonshot-gss-eap package) the Shibboleth SP library, and provides a set of powerful transformation primitives. However, this comes at the cost of adding additional dependencies and configuration complexity. The second one (included in the moonshot-gss-eap-noshib) uses a simple JSON file to define very simple mapping rules.

Tip

The default configuration for attribute resolution is with uses the Shibboleth SP library. On certain platforms, attribute resolution is not available with Shibboleth and attribute resolution with JSON must be used. This is usually the case on platforms where Shibboleth is not available or too heavy-weight.

Configure attribute resolution using the Shibboleth

...

SP library

Moonshot by default uses Shibboleth libraries to parse RADIUS and SAML attributes.

...

Note

Internal JSON resolution is only available in the moonshot-gss-eap-noshib package. This package is the same as the classic moonshot-gss-eap package, but is built without Shibboleth support.

This package will still install some Shibboleth Consortium packages (notably OpenSAML), but not the Shibboleth daemon.

Moonshot now also supports the use of a JSON file that performs basic mapping of attributes in the Moonshot response to local attributes as needed. The most basic functionality will simply copy the value from an attribute provided, but the built-in function also allows the setting of some values statically. 

...