shibboleth authentication with Active Directory UPN

Mauro Minella Mauro.Minella at microsoft.com
Sat Sep 15 18:26:22 EDT 2012


You're very right Nate: I edited in conf\attribute-resolver.xml and replaced
        <FilterTemplate>
            <![CDATA[(sAMAccountName=$requestContext.principalName)]]>
        </FilterTemplate>
with
        <FilterTemplate>
            <![CDATA[(userPrincipalName=$requestContext.principalName)]]>
        </FilterTemplate>

and it did work!

Thanks!

Mauro

From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: sabato 15 settembre 2012 20.07
To: Shib Users
Subject: Re: shibboleth authentication with Active Directory UPN

Mauro,

Apparently each search is returning different information, or you're building an attribute directly from the principal name.

Either way, with the IdP's main logging and LDAP logging on DEBUG you'll be able to follow the resolution and release of values precisely and figure out why there's a discrepancy.

I'd start with the assertion that is produced, identify which attribute(or Subject) is different, and then trace back in the logs to figure out why.

Thanks,
Nate.

On Sep 15, 2012, at 17:37 , Mauro Minella wrote:


Thanks guys. But can you help understanding why I apparently get different assertions if I get authenticated with flat sAMAccountName or userPrincipalName?
In fact, you told me how to login with both attributes on the shibtest page, and it works if I go straight there, however when the same Shib login page is called by the service provider (in my case, Office365), I'm allowed to use that service provider only if I use the sAMAccountName authentication method. If, instead, I configure login.config to accept the userPrincipalName on the Shibboleth authentication, I'm authenticated on the shib page, but then my service provider says that I'm not authorized to use it.
In other words, it seems that different assertions are released, when I just change the userField setting.

Thanks,

Mauro


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120915/9017e7a2/attachment.html 


More information about the users mailing list