Hi Rob,
Thanks for youre detailed reply.
Ok first thing first. I was working with ADFS to federate our domain with
office365. However there were several issues related to it. We planned to
move from it to Shibboleth. We have completely remove ADFS role from the
system. We have also uninstalled Microsoft ADFS update - installed under
Programs and features (in control panel). So now ADFS is completely gone!
Now the issue about metadata file. I have following in our relying-party.xml
<metadata:MetadataProvider id="URLMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
"
backingFile="/opt/shibboleth-idp/metadata/azure-metadata.xml">
</metadata:MetadataProvider>
That is the reason I am talking about SAML i.e. FederationMetaDataUrl.
My understanding is that having FederationMetadataUrl defines which
metadata to read and then follow the links mentioned in it, isn't it? But
as you said it is only for ADFS, now I wonder when I logout from office
365, i get an error that "you are not logged from following services"
office 365
idp.rosmini.school.nz
and get an error page from Microsoft.
I have made federation changes couple of times from Managed to federated as
you have suggested but that FederationMetadataUrl comes back each time I
federate and supply federation commands in one go. It comes automatically.
I have also restarted the system to start again after removing ADFS role
and dependencies (updates).
May be when you have a moment I can do it with you on a remote session,
just to see if I am still doing something wrong?
Thanks for your help.
Post by Rob GorrellI'm not sure I can help you. Based on my understanding, what I've been
trying to convey is the FederationMetadataUrl parameter you speak of only
applies to an ADFS setup and is not relevant (or even accessible) to a SAML
setup, so I am confused as to why you are hung up on it or why you even
have a value there in the first place. In a SAML setup, the O365 metadata
is stored in a static file on your IdP and your IdP's metadata (ie signing
certificate) is uploaded directly to you O365 by using the
-SigningCertificate param of the Set-MsolDomainAuthentication cmdlet...
there is no url involved for metadata retrieval, on either side.
The Get-MsolFederationProperty cmdlet that shows the FederationMetadataUrl
property you speak of only applies to ADFS Federated domains and is far as
I can tell is useless for SAML... in fact if I run it, it will error
telling me my domain isn't federated with ADFS (though its working and
federated with SAML). Remember, Microsoft speak for "federating" is
referring a specific product, ie WSFed/ADFS... using Shibb/SAML is not
federating with O365, but just a special kind of authentication
configuration somewhere between a Managed and Federated domain... so expect
most of the cmdlets with "Federating/Federation" in them to not apply to a
SAML setup.
-Rob
On Tue, Aug 19, 2014 at 3:43 PM, Farzan Qureshi <
Post by Farzan QureshiHi Rob,
Have you ever had this issue that when you try to change
FederationMetadataUrl it doesn't change even if you change authentication
to Managed and then change back with federation parameters. I have changed
it to managed to change the logouturl and now when I am trying to federate
it with correct parameters in single command it is not changing
FederationMetadataUrl. It changes everything but not FederationMetadataUrl.
I have manually typed the command and also made sure that $variable holds
the correct link to SAML metadata.
Would you please help me? It's broken now which I didn't want to.
Thanks.
Post by Farzan QureshiBugga!! :( That's not good :( I don't want to break anything.
Any how shall I set LogOffUri to
https://idp.rosmini.school.nz/idp/logout.jsp
?
Post by Rob GorrellThis is what I was saying in the other thread... it doesn't like
incremental changes here. You need to set your domain back to managed and
then toggle it back to saml federated with all the params correctly set at
once through this cmdlet
Rob
Post by Farzan QureshiHi Rob,
Set-MsolDomainAuthentication -DomainName $dom -Authentication
Federated -LogOffUri $logouturl
PassiveClientSignOutUrl : https://idp.rosmini.school.nz/logout
It is not changing it.
Post by Farzan QureshiShall I set LogOffUri to https://idp.rosmini.school.nz/idp/logout.jsp
?
Post by Farzan QureshiOk please wait let me check.
Post by Rob GorrellI get a powershell error, because that cmdlet only works for an
ADFS federated domain, not an SAMLP one.
For SAML, you need to use the LogOffUri parameter from
Set-MsolDomainAuthentication cmdlet...
-Rob
On Tue, Aug 19, 2014 at 4:42 PM, Farzan Qureshi <
Post by Farzan QureshiThanks Nate and Rob.
Get-MsolFederationProperty -DomainName UNCG.EDU
What you get against PassiveClientSignOutUrl?
Post by Rob Gorrellper Nate's link, you will need to configure and point this URL to
your logout.jsp template.
For me, the URL looks like: https://idp.uncg.edu/idp/logout.jsp
-Rob
On Mon, Aug 18, 2014 at 11:40 PM, Farzan Qureshi <
Post by Farzan QureshiHi,
I have defined logout URL in Office 365 as
https://idp.rosmini.school.nz/logout
Not Found
The requested URL /logout was not found on this server.
https://idp.rosmini.school.nz/logout?SAMLRequest=nZHLasMwEEV/xWgvP2InsURscAkBQx7QNKVkUxRFbkRtydWMofTra7tetJtSupyZO/fOkVYgmppv7Yvt8F69dQrQe29qA3wYZKRzhlsBGrgRjQKOkh%2BL3ZbP/JC3zqKVtibeul/TRqC2JiM3xBZ4EOhr6zsLjTbaB3mztvbNR1CPUcQr1xl5TpcXlqRyQdlyIWgiLgm9sIjRSIm5YnMZL6Uk3qNyMDr3of0iQKdKAygM9q0wSmiY0og9hDGPZzyJz8TLVyPWKHV/5hEAyg0MJB9klboqNzLxnZY9ia3wYGpt1Cr4Zj9l7Xu7cv2PLG9jXSPwd/nQ0VdajVLeDg8CqAySvMTF3W3ztD%2B/Ho6b9HQ8bVXBiiybbvw6K5%2BqH/%2BcfwIOPK35&RelayState=A5gGBk4RnOLcU156TZ*rehh95QXq&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=lKOQ/zwElEh01I1liHa5woG27K%2B/UrlFYsF/Gt5VHMoyaDhpvEQ5%2BXLjkuA31F4AdD%2B5eELvAMe8%0D%0APNQaMi3Jocn5f00CRjTMX%2BeOVNYr/aXhS5FaTv1OyEJ0AbJkpb/mTXHmmotDcQUc%2ByHCA65YYqut%0D%0A3HT0mP1T6222tmqszbsAZClaZjvuOwBN1eFxdve7d7Iw1frKlrJqIHuVkTN%2BPomHzUyJrZu5nYOy%0D%0Ay%2B/xxM%2B70VBfy2NRWTqL1PEBLr7NH%2B/4bdl%2BIwANf4dG2xXg3msBpqiyegFuJxvxOgEkgFlGuTfV%0D%0AWy5Kxal1AkD5wVJCx4LN9Rfah5GsYC7AyH3AKQ%3D%3D
How I can define what happens when a user sign out? What is the
correct link to sign out?
--
*Farzan Qureshi* | Network Administrator & Help-desk Support |
Rosmini College | (09) 487 0 530
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify the
views or opinions presented in this email are solely those of the author
and do not necessarily represent those of the company. Finally, the
recipient should check this email and any attachments for the presence of
viruses. Rosmini College accepts no liability for any damage
caused by any virus transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support |
Rosmini College | (09) 487 0 530
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
views or opinions presented in this email are solely those of the author
and do not necessarily represent those of the company. Finally, the
recipient should check this email and any attachments for the presence of
viruses. Rosmini College accepts no liability for any damage
caused by any virus transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support |
Rosmini College | (09) 487 0 530
--
*Farzan Qureshi* | Network Administrator & Help-desk Support |
Rosmini College | (09) 487 0 530
--
*Farzan Qureshi* | Network Administrator & Help-desk Support |
Rosmini College | (09) 487 0 530
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
or opinions presented in this email are solely those of the author and do
not necessarily represent those of the company. Finally, the recipient
should check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.