Hi!
Changed to using AttributeQuery and also moved from authorization to post_auth.
Both changes successful.
So, now I have a test setup like this:
RADIUS -----> RADIUS ....> RADIUS -----> pySAML2
client server Python AA
module
(SP)
I've also added the SAML-AAA-Assertion definition to the freeRADIUS dictionary.
I split the Assertion into 248 byte chunks as proposed by Luke.
Using the default freeRADIUS setup with an, to 'user', added simple test user (roland, password 'theone').
If I now run radtest I get:
$ sudo radtest roland theone 127.0.0.1 0 testing123
Sending Access-Request of id 16 to 127.0.0.1 port 1812
User-Name = "roland"
User-Password = "theone"
NAS-IP-Address = 130.239.148.47
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=16, length=1357
SAML-AAA-Assertion = "<?xml version='1.0' encoding='UTF-8'?>\n<ns0:Assertion xmlns:ns0=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" ID=\"id-72b1b9ed17dc8293eae336241ac5078f\" IssueInstant=\"2011-06-13T09:25:28Z\" Version=\"2.0"
SAML-AAA-Assertion = "><ns0:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://localhost:8088/</ns0:Issuer><ns0:Subject><ns0:NameID>roland</ns0:NameID><ns0:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><ns0:SubjectConfirmationD"
SAML-AAA-Assertion = "ta InResponseTo=\"http://localhost:8087/\" NotOnOrAfter=\"2011-06-13T09:40:28Z\" Recipient=\"id-03cd9f18c1788cc0062842fdc4425aae\" /></ns0:SubjectConfirmation></ns0:Subject><ns0:Conditions NotBefore=\"2011-06-13T09:25:28Z\" NotOnOrAfter=\"2011-06-13T09:40:"
SAML-AAA-Assertion = "8Z\"><ns0:AudienceRestriction><ns0:Audience>http://localhost:8087/</ns0:Audience></ns0:AudienceRestriction></ns0:Conditions><ns0:AuthnStatement AuthnInstant=\"2011-06-13T09:25:28Z\" SessionIndex=\"id-124aaad2db37036419bb55673a74831d\" /><ns0:AttributeS"
SAML-AAA-Assertion = "atement><ns0:Attribute FriendlyName=\"eduPersonEntitlement\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><ns0:AttributeValue xsi:type=\"xs:string\">urn:mace:foo.bar:skruff</ns0:AttributeValue></"
SAML-AAA-Assertion = "s0:Attribute></ns0:AttributeStatement></ns0:Assertion>"
Corresponding output from the server is:
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Assertion: <?xml version='1.0' encoding='UTF-8'?>
<ns0:Assertion xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="id-72b1b9ed17dc8293eae336241ac5078f" IssueInstant="2011-06-13T09:25:28Z" Version="2.0"><ns0:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8088/</ns0:Issuer><ns0:Subject><ns0:NameID>roland</ns0:NameID><ns0:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns0:SubjectConfirmationData InResponseTo="http://localhost:8087/" NotOnOrAfter="2011-06-13T09:40:28Z" Recipient="id-03cd9f18c1788cc0062842fdc4425aae" /></ns0:SubjectConfirmation></ns0:Subject><ns0:Conditions NotBefore="2011-06-13T09:25:28Z" NotOnOrAfter="2011-06-13T09:40:28Z"><ns0:AudienceRestriction><ns0:Audience>http://localhost:8087/</ns0:Audience></ns0:AudienceRestriction></ns0:Conditions><ns0:AuthnStatement AuthnInstant="2011-06-13T09:25:28Z" SessionIndex="id-124aaad2db37036419bb55673a74831d" /><ns0:AttributeStatement><ns0:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xsi:type="xs:string">urn:mace:foo.bar:skruff</ns0:AttributeValue></ns0:Attribute></ns0:AttributeStatement></ns0:Assertion>
rlm_python:post_auth: 'SAML-AAA-Assertion' = '<?xml version='1.0' encoding='UTF-8'?> <ns0:Assertion xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="id-72b1b9ed17dc8293eae336241ac5078f" IssueInstant="2011-06-13T09:25:28Z" Version="2.0"'
rlm_python:post_auth: 'SAML-AAA-Assertion' = '><ns0:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8088/</ns0:Issuer><ns0:Subject><ns0:NameID>roland</ns0:NameID><ns0:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns0:SubjectConfirmationDa'
rlm_python:post_auth: 'SAML-AAA-Assertion' = 'ta InResponseTo="http://localhost:8087/" NotOnOrAfter="2011-06-13T09:40:28Z" Recipient="id-03cd9f18c1788cc0062842fdc4425aae" /></ns0:SubjectConfirmation></ns0:Subject><ns0:Conditions NotBefore="2011-06-13T09:25:28Z" NotOnOrAfter="2011-06-13T09:40:2'
rlm_python:post_auth: 'SAML-AAA-Assertion' = '8Z"><ns0:AudienceRestriction><ns0:Audience>http://localhost:8087/</ns0:Audience></ns0:AudienceRestriction></ns0:Conditions><ns0:AuthnStatement AuthnInstant="2011-06-13T09:25:28Z" SessionIndex="id-124aaad2db37036419bb55673a74831d" /><ns0:AttributeSt'
rlm_python:post_auth: 'SAML-AAA-Assertion' = 'atement><ns0:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xsi:type="xs:string">urn:mace:foo.bar:skruff</ns0:AttributeValue></n'
rlm_python:post_auth: 'SAML-AAA-Assertion' = 's0:Attribute></ns0:AttributeStatement></ns0:Assertion>'
++[python] returns updated
Sending Access-Accept of id 16 to 127.0.0.1 port 58029
SAML-AAA-Assertion = "<?xml version='1.0' encoding='UTF-8'?>\n<ns0:Assertion xmlns:ns0=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" ID=\"id-72b1b9ed17dc8293eae336241ac5078f\" IssueInstant=\"2011-06-13T09:25:28Z\" Version=\"2.0\""
SAML-AAA-Assertion = "><ns0:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://localhost:8088/</ns0:Issuer><ns0:Subject><ns0:NameID>roland</ns0:NameID><ns0:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><ns0:SubjectConfirmationDa"
SAML-AAA-Assertion = "ta InResponseTo=\"http://localhost:8087/\" NotOnOrAfter=\"2011-06-13T09:40:28Z\" Recipient=\"id-03cd9f18c1788cc0062842fdc4425aae\" /></ns0:SubjectConfirmation></ns0:Subject><ns0:Conditions NotBefore=\"2011-06-13T09:25:28Z\" NotOnOrAfter=\"2011-06-13T09:40:2"
SAML-AAA-Assertion = "8Z\"><ns0:AudienceRestriction><ns0:Audience>http://localhost:8087/</ns0:Audience></ns0:AudienceRestriction></ns0:Conditions><ns0:AuthnStatement AuthnInstant=\"2011-06-13T09:25:28Z\" SessionIndex=\"id-124aaad2db37036419bb55673a74831d\" /><ns0:AttributeSt"
SAML-AAA-Assertion = "atement><ns0:Attribute FriendlyName=\"eduPersonEntitlement\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><ns0:AttributeValue xsi:type=\"xs:string\">urn:mace:foo.bar:skruff</ns0:AttributeValue></n"
SAML-AAA-Assertion = "s0:Attribute></ns0:AttributeStatement></ns0:Assertion>"
Finished request 0.
-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect
ICT Services and System Development (ITS)
Umeå University
SE-901 87 Umeå, Sweden
Phone +46 90 786 68 44
Mobile +46 70 696 68 44
www.its.umu.se
|