Hi,
for now moonshot seams to only support authentication against FreeRADIUS
without using an SAML IdP, but in draft-ietf-abfab-arch-00 it says that
the request could contain a SAML Request and that the response from the
IdP contains SAML assertions. (The SAML assertions are now hard coded in
my FreeRADIUS configuration)
Is it correct that it should be possible to use a normal web IdP to
authenticate any user in the end?
Some parts of the SAML handling like parsing a SAML Assertion are
already partly implemented, but it is not possible to to authenticate
against a normal IdP is that correct?
I would like to extend Moonshot to do so or help with that. For now it
looks to me that the best way would be to write a FreeRADIUS module like
rlm_ldap but sending a HTTP request with a SAML Request to an IdP and
getting the resulting SAML Response with the assertions. The answer from
the IdP has to be parsed so we need the Shibboleth also in FreeRADIUS.
Is this a good way to do so? Is someone else already working on this?
Hauke
|