Discussion:
Office 365 and Shibboleth integration
Farzan Qureshi
2014-08-18 18:18:11 UTC
Permalink
Hi there,

I know it is not completely related to shibboleth but I am desperately
looking for help. I have also posted this on Microsoft forum and waiting
for reply.

Has any one got success in integrating office 365 with shibboleth? Our IdP
is working fine but I am unable to change PreferredAuthenticationProtocol
from Wsfed to SAMLP??

Kind regards,

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Rob Gorrell
2014-08-18 19:14:30 UTC
Permalink
We are successfully using O365 with Shibb.

One of the issues that plagued me initially was when I first set our domain
to be Federated using the Set-MsolDomainAuthentication cmdlet, I had set it
up to use our development shibb idps. Then when I was satisfied and went to
change over the config to production idps, running it with new correct
parameters overtop it didn't seem to impact any change. I eventually found
out that in order to update any parameters (as seen on
Get-MsolDomainFederationSettings), I had to demote the domain back to
Managed and then promote it again to Federated but using the new params,
only then would it acknowledge my changes.

So I would try taking your O365 back to Managed using:
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
and then reapply your Federated configuration, but this time with the
PreferredAuthenicationProtocol set to SAMLP.

-Rob
Post by Farzan Qureshi
Hi there,
I know it is not completely related to shibboleth but I am desperately
looking for help. I have also posted this on Microsoft forum and waiting
for reply.
Has any one got success in integrating office 365 with shibboleth? Our IdP
is working fine but I am unable to change PreferredAuthenticationProtocol
from Wsfed to SAMLP??
Kind regards,
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
Farzan Qureshi
2014-08-18 20:29:08 UTC
Permalink
Hi Rob,

Thanks for your reponse. I will do as directed today., Just started work.

However I have tried those steps but it didn't help. In my case first I was
doing with ADFS and thus made federation changes accordingly. But now as we
are using shibboleth, I am unable to change the federation settings.

I will try again anyway. I will contact you again.

Kind regards,

Farzan
Post by Rob Gorrell
We are successfully using O365 with Shibb.
One of the issues that plagued me initially was when I first set our
domain to be Federated using the Set-MsolDomainAuthentication cmdlet, I had
set it up to use our development shibb idps. Then when I was satisfied and
went to change over the config to production idps, running it with new
correct parameters overtop it didn't seem to impact any change. I
eventually found out that in order to update any parameters (as seen on
Get-MsolDomainFederationSettings), I had to demote the domain back to
Managed and then promote it again to Federated but using the new params,
only then would it acknowledge my changes.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
and then reapply your Federated configuration, but this time with the
PreferredAuthenicationProtocol set to SAMLP.
-Rob
On Mon, Aug 18, 2014 at 2:18 PM, Farzan Qureshi <
Post by Farzan Qureshi
Hi there,
I know it is not completely related to shibboleth but I am desperately
looking for help. I have also posted this on Microsoft forum and waiting
for reply.
Has any one got success in integrating office 365 with shibboleth? Our
IdP is working fine but I am unable to change
PreferredAuthenticationProtocol from Wsfed to SAMLP??
Kind regards,
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Farzan Qureshi
2014-08-18 20:48:15 UTC
Permalink
Hi Rob,

I am getting close. What you are using for the FederationMetadataUrl ?

On microsoft login analyzer for Office 365 I am getting following:

The Microsoft Connectivity Analyzer is analyzing the domain registration
received for user testuser-***@public.gmane.org An error was found in the
domain registration. Additional Details
The Metadata Exchange URL in the domain registration isn't valid. URL:
Elapsed Time: 2 ms.
Post by Rob Gorrell
We are successfully using O365 with Shibb.
One of the issues that plagued me initially was when I first set our
domain to be Federated using the Set-MsolDomainAuthentication cmdlet, I had
set it up to use our development shibb idps. Then when I was satisfied and
went to change over the config to production idps, running it with new
correct parameters overtop it didn't seem to impact any change. I
eventually found out that in order to update any parameters (as seen on
Get-MsolDomainFederationSettings), I had to demote the domain back to
Managed and then promote it again to Federated but using the new params,
only then would it acknowledge my changes.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
and then reapply your Federated configuration, but this time with the
PreferredAuthenicationProtocol set to SAMLP.
-Rob
On Mon, Aug 18, 2014 at 2:18 PM, Farzan Qureshi <
Post by Farzan Qureshi
Hi there,
I know it is not completely related to shibboleth but I am desperately
looking for help. I have also posted this on Microsoft forum and waiting
for reply.
Has any one got success in integrating office 365 with shibboleth? Our
IdP is working fine but I am unable to change
PreferredAuthenticationProtocol from Wsfed to SAMLP??
Kind regards,
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Farzan Qureshi
2014-08-18 21:00:49 UTC
Permalink
Hi,

I am getting following error when I try to authenticate:

08:58:24.122 - INFO [Shibboleth-Access:73] -
20140818T205824Z|192.168.100.254|idp.rosmini.school.nz:443
|/profile/SAML2/POST/SSO|
08:58:41.164 - INFO [Shibboleth-Access:73] -
20140818T205841Z|192.168.100.254|idp.rosmini.school.nz:443
|/profile/SAML2/POST/SSO|
08:58:43.291 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491]
- No attribute of principal 'testuser' can be encoded in to a
NameIdentifier of required format
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party
'urn:federation:MicrosoftOnline'
08:58:43.318 - INFO [Shibboleth-Audit:1028] -
20140818T205843Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_53417712-bd6b-4489-b586-f35e301c465a|urn:federation:MicrosoftOnline|urn:mace:shibboleth:2.0:profiles:saml2:sso|
https://idp.rosmini.school.nz/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_30bde67bd7c6bbd42a087120f22fa947|fqureshi|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||||


Any ideas?
Post by Farzan Qureshi
Hi Rob,
I am getting close. What you are using for the FederationMetadataUrl ?
The Microsoft Connectivity Analyzer is analyzing the domain registration
domain registration. Additional Details
Elapsed Time: 2 ms.
Post by Rob Gorrell
We are successfully using O365 with Shibb.
One of the issues that plagued me initially was when I first set our
domain to be Federated using the Set-MsolDomainAuthentication cmdlet, I had
set it up to use our development shibb idps. Then when I was satisfied and
went to change over the config to production idps, running it with new
correct parameters overtop it didn't seem to impact any change. I
eventually found out that in order to update any parameters (as seen on
Get-MsolDomainFederationSettings), I had to demote the domain back to
Managed and then promote it again to Federated but using the new params,
only then would it acknowledge my changes.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
and then reapply your Federated configuration, but this time with the
PreferredAuthenicationProtocol set to SAMLP.
-Rob
On Mon, Aug 18, 2014 at 2:18 PM, Farzan Qureshi <
Post by Farzan Qureshi
Hi there,
I know it is not completely related to shibboleth but I am desperately
looking for help. I have also posted this on Microsoft forum and waiting
for reply.
Has any one got success in integrating office 365 with shibboleth? Our
IdP is working fine but I am unable to change
PreferredAuthenticationProtocol from Wsfed to SAMLP??
Kind regards,
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Matthew Slowe
2014-08-20 07:22:39 UTC
Permalink
Post by Farzan Qureshi
08:58:43.291 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491]
- No attribute of principal 'testuser' can be encoded in to a
NameIdentifier of required format
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party
'urn:federation:MicrosoftOnline'
Any ideas?
I needed to add the following attribute to the RelyingParty tag for
MicrosoftOnline:

nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

See http://blogs.kent.ac.uk/unseenit/2013/05/10/office-and-shibboleth-2/
for more details.

Hope that helps,
--
Matthew Slowe
Server Infrastructure Team e: m.slowe-***@public.gmane.org
IS, University of Kent t: +44 (0)1227 824265
Canterbury, UK w: www.kent.ac.uk
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Rob Gorrell
2014-08-19 14:32:53 UTC
Permalink
Post by Farzan Qureshi
I am getting close. What you are using for the FederationMetadataUrl ?
I'm not.... the o365 metadata is stored in a FilesystemMetadataProvider...

<!-- Azure for Office 365 -->
<metadata:MetadataProvider id="AzureLocal"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"

metadataFile="/opt/shibboleth-idp/metadata/azure-metadata.xml">
<metadata:MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<metadata:MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">

<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
</metadata:MetadataFilter>
</metadata:MetadataFilter>
</metadata:MetadataProvider>
Post by Farzan Qureshi
Would you mind sharing how you are releasing attributes? In my
from my attribute-filter.xml...

<!-- Attribute Filter Policy for Windows Azure AD -->
<afp:AttributeFilterPolicy id="PolicyForWindowsAzureAD">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="urn:federation:MicrosoftOnline" />
<!-- Release userPrincipalName as Windows Azure AD User ID -->
<afp:AttributeRule attributeID="UserId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- Release Immutable ID to Windows Azure AD -->
<afp:AttributeRule attributeID="ImmutableID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- Note: it is not recommended to send transientId to Windows
Azure AD -->
<afp:AttributeRule attributeID="transientId">
<afp:DenyValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
Loading...