SAML support for freeRadius

ALVAREZ SANTANA, LUIS MIGUEL 100077516 at alumnos.uc3m.es
Wed Mar 25 16:32:42 CET 2009 

Hi Stefan and everybody

I´m trying to get an architecture of federation-id in which are 
involved, layer 2 communications, RADIUS (like FreeRadius) and IdP 
server, but I have some doubts about it. Searching for information I 
read this thread, and I decided claim for help.I´m really interested in 
scenarios 2&3 which were described before

> 2) a user logs in with a non-SAML credential. FreeRADIUS should be able
> to use a SAML-enabled backend to verify these credentials.
> 3) a user logs in with a non-SAML credential. FreeRADIUS uses a non-SAML
> backend, but transports a SAML assertion to the user which the user can
> later use to enter SAML-enabled resources.

In fact, what I was wondering is if it would be possible a mixture 
between secenarios 2 and 3, I mean, a user logs in with a non-SAML 
credential (x509 certificate), FreeRADIUS verify the credentials in a 
SAML-enabled backend (IdP), AND transports a SAML assertion to the user 
which the user can later use to enter SAML-enabled resources.
¿Is there any way for getting a succesful "SAML-conversation" between 
FreeRADIUS and an IdP, in which the assertions were sent to FreeRADIUS 
and since there to the client (in layer 2)?

As regards to the use of a layer 2 protocol/method to send SAML 
attributes, I´ve heard about DAIDALOS that uses PEAPv2 to send and 
receive SAML assertions between the edges of an EAP layer 2 
communication.

I´m not sure the latter is contradictory with your previous answer

> In that case though, the equally sad answer is that
> there is no defined transport to send SAML within RADIUS. What you'd
> need then is a means to send SAML payloads in RADIUS attributes. The
> most logical way of doing so would be some kind of "EAP-SAML" - but such
> a thing doesn't exist as an IETF standard today. So if authenticating
> via SAML assertions is something you want to do - please present your
> use case loudly to IETF people - they might listen and get going :-)

Does it mean that is not possible send SAML assertions in any 
EAP-method, or only has to do with SAML payloads in RADIUS attributes?

Thank you very much for your attention and sorry for that awful English 
language that I have.

Greetings

Luis M. Álvarez
-- 
Universidad Carlos III de Madrid

More information about the Freeradius-Users mailing list