> > We found out today that when we use the attr_filter module in FreeRADIUS,
> > the GSS-Acceptor-* attributes are stripped from the request, which then
> > stops the channel bindings from working.
>
> well, unless they are listed in the allowed whitelist :-)
Quite. Because that's how I understand it.
> it doesn't. there'll be a difference in config. if you call the filter and
Ok, so if I know it's filtered out (because I proved that by adding the four GSS-Acceptor-* attributes into the filter and suddenly I received what appears to be an Access-Accept), can we add those four attributes into the pre-proxy filter whitelist? I think I mentioned this in February too.
I don't know whether they are required in the post-proxy filter too, but for the sake of brevity I didn't investigate further and just bunged them in (along with the SAML-AAA-Assertion attribute).
> don't have the attribute listed it will be gone (unless theres a confusion here
> about presence of an attribute in inner or outer tunnel - though once again,
> filter the packet in the right place and it will get adjusted)
The attributes are supposed to be present in both outer and inner. The chbind server then checks both on the IdP side and if they don't match, throws the request away.
Or at least that's what I inferred from the IdP logs I saw on the Janet side.
Stefan
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|