Hi!
After roughly a days work (mostly trying to figure out how a freeradius python module is supposed to be implemented) I have come a bit on the way.
This is what I've done:
- Written a python module that can act as a freeradius python module.
This module then depends heavily on my pysaml2 package.
The module presently implements two methods: instantiate and authorize.
authorize receives username and password from freeradius.
The module then sends a SAML2 AuthnRequest to an IdP using the SOAP binding.
It is assumed that the IdP supports HTTP basic authentication (at least that is what I'm using presently).
The IdP responds with a SAML2 Response containing an Assertion (granted that the authentication was successful).
The module verifies the Response and grabs the assertions attributes and values and convert them to something that Freeradius understands.
Two questions so far:
Can I expect username of the form user@realm and then in some way pick the IdP to use based on realm ? Possibly use scope from the SAML metadata ?
Are there a set of 'radius' attribute names I should use when mapping the SAML attributes ?
What about multiple attribute values ? How do I represent that ?
My lab setup works all the way up to the attribute mapping.
The radius server doesn't accept what I send it :-(
-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect
ICT Services and System Development (ITS)
Umeå University
SE-901 87 Umeå, Sweden
Phone +46 90 786 68 44
Mobile +46 70 696 68 44
www.its.umu.se
|