different assertions generated for WEB and ACTIVE clients
Ryan Suarez
ryan.suarez at sheridancollege.ca
Tue Jan 15 12:11:07 EST 2013
On 13-01-15 11:46 AM, Cantor, Scott wrote:
>> Here is the assertions I get when I authenticate with
>> michela at shibbdomain.eduteamit.net in either WEB Mail (Internet Explorer)
>> and Outlook 2013 (Active Client). Please note that both of them only ask
>> the same 2 pieces of information (UPN + password), and I need to provide
>> both authentication mechanism, however as far as I understood I did NOT
>> configure a different filter policy or attributes set for WEB and ECP.
> No, you didn't. But your authentication is not the same. One of the
> authentication approaches sets the principal name to a fully-qualified
> Kerberos name with a realm, and the other one didn't. That results in two
> different inputs to the resolver process and that's the cause of your
> problem.
You have two problems.
The first, like Scott said, is that your web auth is returning
'michela at shibdomain.eduteamit.net' and your active auth is returning
just 'michela' for the UserId
The other is that Office 365 requires ImmutableID (which is objectGUID
in your case) to be passed as the NameID. Your web auth is passing the
correct one, but your active auth is not******.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130115/bd2571d0/attachment.html
More information about the users
mailing list