On 09/14/2011 02:41 PM, Markus Ludwig Grandpre wrote: Hello Markus,
> I try to send a SAML assertion as an attribute in a Access-Accept > packet, but packet is too long (when using UDP). Is there a possibility > to distribute content of Access-Accept packet to several packets? Try adding three SAML-AAA-Assertion attributes instead of one. Your attribute seems to be over 600 characters which is way more than the 8 bit attribute length field can carry. The receiver may be able to concatenate the attributes back into one value. Related to this: where is SAML-AAA-Assertion defined. The closest thing I was able to found was this: http://tools.ietf.org/html/draft-ietf-abfab-aaa-saml-01#section-3 Note that this draft also advises how to cope with long attributes. The advice here is to split and concatenate too. Thanks! Heikki > Radiator configuration: > ----------------------- > > AddToReply SAML-AAA-Assertion = <saml:Assertion > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > IssueInstant="2011-03-19T08:30:00Z" ID="foo" > Version="2.0"><saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer><saml:AttributeStatement><saml:Attribute > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"><saml:AttributeValue>[email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion> > > > Radiator log: > ------------- > > Code: Access-Accept > Identifier: 14 > Authentic: ><152><183>`<240>J<203>8F<197><221><198>j<241>cT > Attributes: > User-Name = "user" > EAP-Message = <3><7><0><4> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > SAML-AAA-Assertion = "<saml:Assertion > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > IssueInstant="2011-03-19T08:30:00Z" ID="foo" > Version="2.0"><saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer><saml:AttributeStatement><saml:Attribute > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"><saml:AttributeValue>test</saml:AttributeValue></saml:Attribute><saml:Attribute > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"><saml:AttributeValue>test</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>" > MS-MPPE-Send-Key = > <243>6b<18>$<213><187><18>f<28><199><200><205>y_Y<251><248>?6<141><155><192>1=<159><214><222><203><254>;<186> > MS-MPPE-Recv-Key = > <248><28>pg(<249><212>Mu<244><168><5><246><255><1><200><28><182><251><132>^<7>UZ<169>~<8><152>m<185><147><128> > > Error Message (sshd): > --------------------- > > sshd[28902]: debug1: Unspecified GSS failure. Minor code may provide > more information\ninvalid packet: WARNING: Malformed RADIUS packet from > host (null): attribute 62 data overflows the packet (udp.c:118)\n > > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
