Apparent inconsistencies in the Shibboleth wiki concerning persistent NameIDs for federating a Shibboleth IDP with Microsoft Azure

Florian Lengyel Florian.Lengyel at cuny.edu
Sat Apr 2 00:22:15 EDT 2016 

Thanks for this —  I do have the opportunity to determine which are needed.So far, no change The signing algorithm was shall to begin with, according to the response. The IDP response  to Azure’s request looks like the SAML2 response Azure expects (though their documented example online is of a samlp response). The custom persistent base64 NameID  corresponds to the ImmutableID in Azure (it matches), as expected. The IDPEmail is the userPrincpalName—all of that is OK. But Azure still rejects the response. I expect to find out more on Monday. -F




On 3/31/16, 9:21 PM, "users on behalf of Michael A Grady" <users-bounces at shibboleth.net on behalf of mgrady at unicon.net> wrote:

>Forgot to add the definition of SHA1SecurityConfig, which I had just before the Overrides section of relying-party.xml
>---
>
>	<bean id="SHA1SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
>	   p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" />
>
>> 
>> What I can say for certain is that the below settings *do* work with O365.
>> 
>> 
>> 	    <!--
>> 	        Azure AD / Office 365
>> 	        Relying Party Configuration
>> 	    -->
>>        <bean parent="RelyingPartyByName"
>>              c:relyingPartyIds="urn:federation:MicrosoftOnline">
>>            <property name="profileConfigurations">
>>                <list>
>>                    <bean parent="SAML2.ECP"
>>                          p:encryptAssertions="false"
>>                          p:signAssertions="true"
>>                          p:signResponses="false"
>>                          p:securityConfiguration-ref="SHA1SecurityConfig"
>>                          p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
>>                    <bean parent="SAML2.SSO"
>>                          p:encryptAssertions="false"
>>                          p:signAssertions="true"
>>                          p:signResponses="false"
>>                          p:securityConfiguration-ref="SHA1SecurityConfig"
>>                          p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
>>                    <bean parent="SAML2.Logout" p:securityConfiguration-ref="SHA1SecurityConfig" />
>>                </list>
>>            </property>
>>        </bean>
>> 
>
>
>--
>Michael A. Grady
>IAM Architect, Unicon, Inc.
>

More information about the users mailing list