ECP authentication for Office365 federation

Mauro Minella Mauro.Minella at microsoft.com
Sat Nov 3 15:43:40 EDT 2012 

Hi, I started another thread on this alias several days ago, which led me to fix the errors to implement federation between my Shibboleth IDP (2.3.8, relying on AD) and Office365 (http://technet.microsoft.com/en-us/library/jj205456).
As a matter of facts, I'm now able to get any federated users (like mark.twain at shibbdomain.eduteamit.com) authenticated on Outlook Online (https://outlook.com). As you know, this concerns PASSIVE authentication.
I'm now even able to try ECP authentication from ACTIVE clients, with apparently no errors on the server logs.
In fact, my users need to get authenticated even with ACTIVE clients (like Outlook 2010). I believe could setup ECP quite correctly, in fact when the users run the Outlook 2010 Wizard to create their profile, they enter username (mark.twain at shibbdomain.eduteamit.com) + password (abc123ABC) and my Shibboleth IDP seems correctly authenticating them (pls see my logs below). However, on the client side it seems that the user is NOT authenticated because the username/password dialog box keeps being presented.
I even tried building an application on TOMCAT which uses the same JAAS module and WEB.XML configuration and it does work.
Here are my logs below together with main configuration files, do you have any idea for better troubleshooting and identifying what's wrong?

Thank you for any hints.

Mauro



LOGIN.CONFIG:
ShibUserPassAuthJAAS {

// Example LDAP authentication
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass

   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="localhost"
      port="389"
      base="CN=Users,DC=shibdomain,DC=local"
      serviceCredential="***MYPWD***"
      serviceUser="adreader at shibdomain.local"
      subtreeSearch = "true"
      userField="sAMAccountName";
}


WEB.XML
<security-constraint>
    <web-resource-collection>
        <web-resource-name>ECP</web-resource-name>
        <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ShibUserPassAuthJAAS</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
    <description>The role that is required to access the ECP area</description>
    <role-name>*</role-name>
</security-role>


%CATALINA_HOME%\conf\server.xml:
<Service name="Catalina">
...
    <Engine name="Catalina" defaultHost="localhost">
        <Realm className="org.apache.catalina.realm.JAASRealm"
appName="ShibUserPassAuthJAAS"
userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal"
roleClassNames="edu.vt.middleware.ldap.jaas.LdapRole"/>
...



--------- CATALINA.LOG: OUTLOOK AUTHENTICATION STARTS
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request POST /idp/profile/SAML2/SOAP/ECP
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[ECP]' against POST /profile/SAML2/SOAP/ECP --> true
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling hasUserDataPermission()
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE:   User data constraint already satisfied
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling authenticate()
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm authenticate
FINE: JAASRealm login requested for username "mark.twain" using LoginContext for application "ShibUserPassAuthJAAS"
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm authenticate
FINE: Login context created mark.twain
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm authenticate
FINE: JAAS LoginContext created for username "mark.twain"
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm createPrincipal
FINE: Checking Principal "mark.twain[]" [edu.vt.middleware.ldap.jaas.LdapPrincipal]
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm createPrincipal
FINE: Principal "mark.twain" is a valid user class. We will use this as the user Principal.
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm createPrincipal
FINE: No valid role Principals found.
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.JAASRealm authenticate
FINE: Username "mark.twain" successfully authenticated as Principal "{1}" -- Subject was created too
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase register
FINE: Authenticated 'mark.twain' with type 'BASIC'
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling accessControl()
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.RealmBase hasResourcePermission
FINE:   Checking roles GenericPrincipal[mark.twain()]
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.RealmBase hasRole
FINE: Username mark.twain has role *
nov 03, 2012 8:05:42 PM org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Role found:  *
nov 03, 2012 8:05:42 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Successfully passed all security constraints
--------- CATALINA.LOG: OUTLOOK AUTHENTICATION ENDS


--------- IDP-PROCESS.LOG: OWA AUTHENTICATION STARTS
20:04:01.708 - INFO [Shibboleth-Access:74] - 20121103T190401Z|87.24.1.141|shibbidp.eduteamit.com:443|/profile/SAML2/POST/SSO|
20:04:06.562 - INFO [Shibboleth-Access:74] - 20121103T190406Z|87.24.1.141|shibbidp.eduteamit.com:443|/profile/SAML2/POST/SSO|
20:04:06.843 - INFO [Shibboleth-Audit:989] - 20121103T190406Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dda45ee1-e6db-4dc4-9644-7670678dd8ed|urn:federation:MicrosoftOnline|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shibbidp.eduteamit.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b2dfd7f1a6f46b1cb1502509397305be|mark.twain|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|transientId,eduPersonScopedAffiliation,UserId,eduPersonTargetedID.old,ImmutableID,eduPersonTargetedID,|5GVHEfZRJ0i+fJqtxP0Jrg==|_ffb79c621871e371aa07b3c4359d9175,|
--------- IDP-PROCESS.LOG: OUTLOOK AUTHENTICATION STARTS
20:05:42.483 - INFO [Shibboleth-Access:74] - 20121103T190542Z|157.56.252.5|shibbidp.eduteamit.com:443|/profile/SAML2/SOAP/ECP|
20:05:42.858 - INFO [Shibboleth-Audit:989] - 20121103T190542Z|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_8c62ad9c-52bf-448c-bf97-2d60b9d51c8a|urn:federation:MicrosoftOnline|urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp|https://shibbidp.eduteamit.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_dd9639a0044b3825230446ed3501dd58|mark.twain||transientId,eduPersonScopedAffiliation,UserId,eduPersonTargetedID.old,ImmutableID,eduPersonTargetedID,|_1e62f11837be4ed0a01df02b68f521af|_74f97d433963aadfb9aa72e2400ee844,|

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121103/683e1773/attachment-0001.html

More information about the users mailing list