As mentioned on the call, when trying to parse an incoming SAML block on a server acting as an RP Proxy, I ran into an issue.
The ways I thought that the SAML block could be parsed are:
rlm_exec
rlm_python
rlm_perl
freeradius-pysaml2
Out of these, I believe rlm_perl is the only current and functional option for parsing SAML (if my assessment of any of these is wrong, please correct me!):
rlm_exec:
* Works by stuffing an attribute list into environment variables and execve()ing another binary or script.
* Doesn’t correctly handle multiple attributes with the same name, so you only get the last line of the SAML assertion
* Could be made to work, but is a bit of a hack, and not ideal
rlm_python:
* Embedded python interpreter within FreeRADIUS
* Seems to only allow access to a single attribute list - the "request" list - SAML is in the reply list, so is not passed in
* Could be extended, but this would be substantial work
rlm_perl:
* Embedded perl interpreter within FreeRADIUS
* Works
* Need to write perl :(
freeradius-pysaml2:
* Not updated for FreeRADIUS 3
* I believe (but have cannot confirm until its updated) that it suffers the same limitations as rlm_python
The perl module is very extensive and works very well so this may not be an issue - we could provide a perl script that executes python, but this would make things tricky to debug, and performance wouldn’t be great.
Users are likely to ask about this sort of functionality (so that they can allow policy decisions based on SAML within the RADIUSd), so it’s something we should decide on a solution for.
I think a socket based solution has been suggested on the FreeRADIUS list before - this seems quite elegant (and portable to any language the user desires) - this may be worth exploring too.
Regards,
Adam Bishop
Systems Development Specialist
gpg: 0x6609D460
t: +44 (0)1235 822 245
xmpp: [log in to unmask]
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|