IDP: separate authentication from authorization.

[paolo.c...@uniurb.it]

To take it short, what I'd need is to authenticate against radius and once authenticated by username and password, I'd need to authorize, idest retrieve attributes, from one or more ldap.
Im' not able to find documentation about, is this a supported feature?

Ty everybody.

Paolo Cecchini

[marco.ca...@uniurb.it]

Hi to everybody,

I have the same problem, can I authenticate users using radius by username and password and then authorize from one or more ldap?

Many thanks

Marco Cappellacci

[Peter Schober]

* marco.cappellacci via SimpleSAMLphp <simple...@googlegroups.com> [2016-04-28 18:48]:

> I have the same problem, can I authenticate users using radius by
> username and password and then authorize from one or more ldap?

I'd rephrase that as "look up (additional) attributes from LDAP",
otherwise you risk being told that authorization should happen at the
protected resource (e.g. the SAML SP, based on existing/missing SAML
attributes), not at the IDP.
But I don't know the answer to that question, sorry. I don't think SSP
has sperate stages for authentication vs. attribute resolving.
-peter

[paolo.c...@uniurb.it]

Il giorno giovedì 28 aprile 2016 19:28:36 UTC+2, Peter Schober ha scritto:

I'd rephrase that as "look up (additional) attributes from LDAP",

-peter

Yes you're right, forgive my English. The long story is ...

We're a University.
We do have quite a complex scenary downhere where SAML is used for Edugain stuff and also as  SSO for local applications. We *need* to authenticate against a remote Oracle database, better if via Radius. We need to look up (additional) attributes from LDAP(s), too. I can't afford to put attributes on a Radius Dictionnary.

We're on Shibboleth. We invoke Radius via JRadius, It's working but I'll be more than happy to get rid of Tomcat(8), and *really* happy when I can get rid of Java from scratch.

I'm evaluating SimpleSAMLphp but looks like I'm missing some core feature. Or at least I'm not able to find out about.

Ty again for any hint. PaoloC
 

[Thijs Kinkhorst]

On 29-04-16 08:46, paolo.cecchini via SimpleSAMLphp wrote:
> We do have quite a complex scenary downhere where SAML is used for
> Edugain stuff and also as SSO for local applications. We *need* to
> authenticate against a remote Oracle database, better if via Radius. We
> need to look up (additional) attributes from LDAP(s), too. I can't
> afford to put attributes on a Radius Dictionnary.
>
> We're on Shibboleth. We invoke Radius via JRadius, It's working but I'll
> be more than happy to get rid of Tomcat(8), and *really* happy when I
> can get rid of Java from scratch.
>
> I'm evaluating SimpleSAMLphp but looks like I'm missing some core
> feature. Or at least I'm not able to find out about.

I think simpleSAML can do what you want, I believe it's what we do as
well in our IdP (as a fallback scenario). We use the radius module to
authenticate the user against Radius, and then use the
AttributeAddFromLDAP authproc filter to retrieve additional attributes
from LDAP for that user.

The following documenation should describe how to use it:
https://simplesamlphp.org/docs/stable/radius:radius
https://simplesamlphp.org/docs/stable/ldap:ldap

Let us know if you have additional questions.

Cheers,
Thijs

[paolo.c...@uniurb.it]

Ty so much. I'll look at your links ASAP. PaoloC