problems seemingly caused by transientID in O365

Rob Gorrell rwgorrel at uncg.edu
Wed Aug 27 07:57:13 EDT 2014


I am experiencing problems with O365 that some subset of our population can
log in just fine while another subset of our population gets treated like
they are unknown users after successfully authenticating at our IdP. I know
MS uses an ImmutableID to match up users that is based on objectGUID. From
my configuration, I have intended to only release UserId and ImmutableID to
their SP per the documentation. But looking at my logs/traces, I seem to be
releasing 3 attributes in the assertion... the extra one being transientID,
something my configuration normally releases to all SPs, but the sample
code seems to already want to deny this... but the deny rule appears to be
ignored in my setup. What I think is happening is MS is confusing the two
name identifiers being released in each assertion... for those users who
work, its because of the ImmutableID, and those that don't, its because of
the transientID.

My question is, why is the transientID being released? Is it a case of
first match wins in policy processing order instead of most restrictive? If
that is so, I could use a little help on the XML, how can I modify the
transientID release to include multiple basic:NOT conditions (to not
release to Google AND Microsoft)?

Here is the relevant sections (in order) of my attribute-filter.xml

    <!--  Release the transient ID to anyone (except Google) -->
   <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
     <afp:PolicyRequirementRule xsi:type="basic:NOT">
         <basic:Rule xsi:type="basic:AttributeRequesterString" value="
google.com/a/uncg.net" />
      </afp:PolicyRequirementRule>
      <afp:AttributeRule attributeID="transientId">
         <afp:PermitValueRule xsi:type="basic:ANY" />
      </afp:AttributeRule>
   </afp:AttributeFilterPolicy>

  <!-- Attribute Filter Policy for Windows Azure AD -->
   <afp:AttributeFilterPolicy id="PolicyForWindowsAzureAD">
      <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="urn:federation:MicrosoftOnline"/>
         <!-- Release userPrincipalName as Windows Azure AD User ID -->
      <afp:AttributeRule attributeID="UserId">
          <afp:PermitValueRule xsi:type="basic:ANY"/>
      </afp:AttributeRule>
         <!-- Release Immutable ID to Windows Azure AD -->
      <afp:AttributeRule attributeID="ImmutableID">
          <afp:PermitValueRule xsi:type="basic:ANY"/>
      </afp:AttributeRule>
         <!-- Note: it is not recommended to send transientId to Windows
Azure AD -->
      <afp:AttributeRule attributeID="transientId">
          <afp:DenyValueRule xsi:type="basic:ANY"/>
      </afp:AttributeRule>
   </afp:AttributeFilterPolicy>

-- 
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140827/fa6727de/attachment.html 


More information about the users mailing list