Retrieving attributes from radius / trying to understand how attributes are returned to SP via simpleSAML IdP
237 views
Skip to first unread message
Bob
Mar 7, 2016, 6:14:23 AM3/7/16
to SimpleSAMLphp
Hello,
Apologies for the newbie post, but I have been reading the simpleSAML documentation and what I can find on the internet but am still somewhat struggling to understand how attributes are passed from the IdP to SP. I'm sure what this comes down to is myself just not understanding things correctly, so I was hoping the more experienced users here would be able to help point me in the right direction.
What I am trying to achive:-
Looking at the Radius module documentation (https://simplesamlphp.org/docs/1.5/radius:radius), it mentions I need to add a vendor id and vendor. So as a test I have set a "reply" attribute on a test radius user account I am using. I se tthe reply attribute for the "3com" vendor and the attribute "3com-Product-ID" (this isn't what we'll use in production, I just wanted to use an existing Vendor/attribute for development/testing). I set a value of "12" to this with the "=" operator.
I then tried adding the below to authsources.php, saml20-idp-hosted.php and saml20-sp-remote.php but couldn't figure out the right place to put it or if I implemented it correctly.
'attribute_vendor' => 43,
'attribute_vendor_type' => 255,
Below is what I currently have configured in case someone can identify where I am going wrong. Could anyone advise the newbie on how I can include the reply attributes from radius in the SAML assertion so the SP can see them?
Thanks in advance for any insight or help!
authsources.php
metadata/saml20-idp-hosted.php -
The hardcoded "mail" attribute here (in italic) was to test a login to a development SP to see if it could be integrated with the simpleSAML IdP (which worked), this is obviously hardcoded at the moment and an example of what I want to pull from Radius for the authenticated user
metadata/saml20-sp-remote.php -
Like above, the hardcoded "mail" attribute here (in italic) was to test a login to a development SP to see if it could be integrated with the simpleSAML IdP (which worked), this is obviously hardcoded at the moment and an example of what I want to pull from Radius for the authenticated user
Apologies for the newbie post, but I have been reading the simpleSAML documentation and what I can find on the internet but am still somewhat struggling to understand how attributes are passed from the IdP to SP. I'm sure what this comes down to is myself just not understanding things correctly, so I was hoping the more experienced users here would be able to help point me in the right direction.
What I am trying to achive:-
- A simpleSAMLphp IdP which uses Radius as an authentication source (I have this working)
- The radius server to return specific attributes to a specific SP i.e. authenticated user's email, authenticated user's company name etc... (This is the part I am having difficulty with)
Looking at the Radius module documentation (https://simplesamlphp.org/docs/1.5/radius:radius), it mentions I need to add a vendor id and vendor. So as a test I have set a "reply" attribute on a test radius user account I am using. I se tthe reply attribute for the "3com" vendor and the attribute "3com-Product-ID" (this isn't what we'll use in production, I just wanted to use an existing Vendor/attribute for development/testing). I set a value of "12" to this with the "=" operator.
I then tried adding the below to authsources.php, saml20-idp-hosted.php and saml20-sp-remote.php but couldn't figure out the right place to put it or if I implemented it correctly.
'attribute_vendor' => 43,
'attribute_vendor_type' => 255,
Below is what I currently have configured in case someone can identify where I am going wrong. Could anyone advise the newbie on how I can include the reply attributes from radius in the SAML assertion so the SP can see them?
Thanks in advance for any insight or help!
authsources.php
'companyradius' => array(
'radius:Radius',
'servers' => array('hostname' => '<radiusserver>',
'port' => <radiusserverport>,
'secret' => '<secretkeyforradius>'
),
'timeout' => 5,
'retries' => 3,
'username_attribute' => 'User-Name',
),
metadata/saml20-idp-hosted.php -
The hardcoded "mail" attribute here (in italic) was to test a login to a development SP to see if it could be integrated with the simpleSAML IdP (which worked), this is obviously hardcoded at the moment and an example of what I want to pull from Radius for the authenticated user
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => '<privatekeyfile>.pem',
'certificate' => '<certificatefile>.crt',
'auth' => 'companyradius',
'RelayState' => '<our site>',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'authproc' => array(
60 => array(
'class' => 'core:AttributeAdd',
'%replace',
'mail' => array('bl...@blah.com'),
),
),
);metadata/saml20-sp-remote.php -
Like above, the hardcoded "mail" attribute here (in italic) was to test a login to a development SP to see if it could be integrated with the simpleSAML IdP (which worked), this is obviously hardcoded at the moment and an example of what I want to pull from Radius for the authenticated user
$metadata[<SP-1>] = array (
'entityid' => '<SP-1>',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute' => 'mail',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '<SP-LOGIN URL>',
'index' => 0,
'isDefault' => true,
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '<SP-LOGIN URL>',
'index' => 1,
'isDefault' => true,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '<IDP LOGOUT>',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '<IDP LOGOUT>',
),
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => <CERTDATA> ),
),
);
Peter Schober
Mar 7, 2016, 6:27:17 AM3/7/16
to SimpleSAMLphp
* Bob <psych...@gmail.com> [2016-03-07 12:14]:
that's done using, well, SAML (protocol messages) and SSP handles all
that for you. Once data is available within the IDP (no matter from
where) it's all treated the same.
Your question is solely about how to interface from PHP (or
SimpleSAMLphp's radius module) to Radius or how to send attributes
to the IDP using the RADIUS protocol. See the recent thread on
this list for more details.
I really hope you don't run SSP 1.5. Current is here:
https://simplesamlphp.org/docs/stable/radius:radius
-peter
> Apologies for the newbie post, but I have been reading the simpleSAML
> documentation and what I can find on the internet but am still somewhat
> struggling to understand how attributes are passed from the IdP to
> SP.
Passing the data between a SAML IDP and a SAML SP is not your issue,
> documentation and what I can find on the internet but am still somewhat
> struggling to understand how attributes are passed from the IdP to
> SP.
that's done using, well, SAML (protocol messages) and SSP handles all
that for you. Once data is available within the IDP (no matter from
where) it's all treated the same.
Your question is solely about how to interface from PHP (or
SimpleSAMLphp's radius module) to Radius or how to send attributes
to the IDP using the RADIUS protocol. See the recent thread on
this list for more details.
I really hope you don't run SSP 1.5. Current is here:
https://simplesamlphp.org/docs/stable/radius:radius
-peter
Bob
Mar 7, 2016, 7:48:23 AM3/7/16
to SimpleSAMLphp, peter....@univie.ac.at
Thanks Peter, that makes sense and it helps me at least focus more on the IdP retrieving the data rather than the problem being a supply to the SP.
I really hope you don't run SSP 1.5. Current is here:
https://simplesamlphp.org/docs/stable/radius:radius
No, not using 1.5. I just copied the wrong link, but thanks for checking.
I managed to get a new test (partly) working once you clued me in on how this actually works and focused me a bit more. I decided to use a different Vendor instead of 3com as the new test too (this time Nokia and I used the attribute "Nokia-Service-Username" as the test attribute with a value set to "myTestValue") and this time I got a value back from Radius which was great as it was at least one more baby step forward.
The only problem with this was the Radius reply attribute value, was being used as the SAML attribute name (and the SAML assertion value was null; snippet included below).
Do you think this is a radius issue (i.e. it's not returning a name and value but just a value) or do you think it's my simpleSAML configuration (I have included what I've done below)?
For instance, should I be using the "attribute_vendor" code in conjunction with auth proc filters to properly construct a SAML attribute somehow?
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
Thanks again
I added the following "attribute_vendor" lines to my authsources.php file
I managed to get a new test (partly) working once you clued me in on how this actually works and focused me a bit more. I decided to use a different Vendor instead of 3com as the new test too (this time Nokia and I used the attribute "Nokia-Service-Username" as the test attribute with a value set to "myTestValue") and this time I got a value back from Radius which was great as it was at least one more baby step forward.
The only problem with this was the Radius reply attribute value, was being used as the SAML attribute name (and the SAML assertion value was null; snippet included below).
Do you think this is a radius issue (i.e. it's not returning a name and value but just a value) or do you think it's my simpleSAML configuration (I have included what I've done below)?
For instance, should I be using the "attribute_vendor" code in conjunction with auth proc filters to properly construct a SAML attribute somehow?
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
Thanks again
I added the following "attribute_vendor" lines to my authsources.php file
'companyradius' => array(
'radius:Radius',
'servers' => array('hostname' => '<radiusserver>',
'port' => <radiusserverport>,
'secret' => '<secretkeyforradius>'
),
'timeout' => 5,
'retries' => 3,
'username_attribute' => 'User-Name',
'attribute_vendor' => 94,
'attribute_vendor_type' => 5,
),
The snippet from the SAML assertion was the following (where "myTestValue" is actually the radius reply attribute value, not the name of it. The name of the radius attribute is actually "Nokia-Service-Username").
<saml:Attribute Name="myTestValue" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">
</saml:AttributeValue>
</saml:Attribute>Reply all
Reply to author
Forward
0 new messages