Hi Stefan and everybody
I´m trying to get an architecture of federation-id in which are involved, layer 2 communications, RADIUS (like FreeRadius) and IdP server, but I have some doubts about it. Searching for information I read this thread, and I decided claim for help.I´m really interested in scenarios 2&3 which were described before
2) a user logs in with a non-SAML credential. FreeRADIUS should be able to use a SAML-enabled backend to verify these credentials. 3) a user logs in with a non-SAML credential. FreeRADIUS uses a non-SAML backend, but transports a SAML assertion to the user which the user can later use to enter SAML-enabled resources.
In fact, what I was wondering is if it would be possible a mixture between secenarios 2 and 3, I mean, a user logs in with a non-SAML credential (x509 certificate), FreeRADIUS verify the credentials in a SAML-enabled backend (IdP), AND transports a SAML assertion to the user which the user can later use to enter SAML-enabled resources. ¿Is there any way for getting a succesful "SAML-conversation" between FreeRADIUS and an IdP, in which the assertions were sent to FreeRADIUS and since there to the client (in layer 2)?
As regards to the use of a layer 2 protocol/method to send SAML attributes, I´ve heard about DAIDALOS that uses PEAPv2 to send and receive SAML assertions between the edges of an EAP layer 2 communication.
I´m not sure the latter is contradictory with your previous answer
In that case though, the equally sad answer is that there is no defined transport to send SAML within RADIUS. What you'd need then is a means to send SAML payloads in RADIUS attributes. The most logical way of doing so would be some kind of "EAP-SAML" - but such a thing doesn't exist as an IETF standard today. So if authenticating via SAML assertions is something you want to do - please present your use case loudly to IETF people - they might listen and get going :-)
Does it mean that is not possible send SAML assertions in any EAP-method, or only has to do with SAML payloads in RADIUS attributes?
Thank you very much for your attention and sorry for that awful English language that I have.
Greetings Luis M. Álvarez -- Universidad Carlos III de Madrid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
