Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

  1. Create the file /etc/freeradius/policy.d/moonshot (on RHEL platforms, create /etc/raddb/policy.d/moonshot):

    moonshot_saml.post-auth { 
        if (Realm == '[your realm here]') {
            update reply {
                SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
                SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
                SAML-AAA-Assertion += '<saml:AttributeStatement>'
                SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
                SAML-AAA-Assertion += '</saml:AttributeStatement>'
                SAML-AAA-Assertion += '</saml:Assertion>'
            }
        }
    }

    Example

    Camford University's SAML assertion would look like this:

    moonshot_saml.post-auth { 
        if (Realm == 'camford.ac.uk') {
            update reply {
                SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
                SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
                SAML-AAA-Assertion += '<saml:AttributeStatement>'
                SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
                SAML-AAA-Assertion += '</saml:AttributeStatement>'
                SAML-AAA-Assertion += '</saml:Assertion>'
            }
        }
    }
  2. In /etc/freeradius/sites-enabled/abfab-tr-idp, find the post-auth section. At the top, insert onto its own line the following:

            moonshot_saml
    
    You can adjust where you want to call the policy that inserts the Moonshot policy, as long as it is called in the post-auth section.
  3. If you use non-TLS connections for Moonshot, you may wish to repeat Step 2 in /etc/freeradius/sites-enabled/default.

  4. Restart FreeRADIUS.

 

  • No labels