IdPv3 authenticating against Office 365
Michael A Grady
mgrady at unicon.net
Thu May 19 01:04:13 EDT 2016
> On May 18, 2016, at 9:01 PM, Cantor, Scott <cantor.2 at OSU.EDU> wrote:
>
> On 5/18/16, 5:04 PM, "users on behalf of Yan Juras" <users-bounces at shibboleth.net on behalf of yan.juras at qc.cuny.edu> wrote:
>>
>> I’ve been asked to explore using Office 365 as an authentication and attribute source for
>> our IdP so that we can move away from needing to provision and maintain accounts for our
>> students. Ideally, I’d like to authenticate using the Office 365 username and password,
>> and be able to pull a basic set of attributes from Office 365 (givenName, sn, displayName,
>> email/eppn) for use/release by the IdP.
>
> That's a new one. I didn't realize they really had accounts there unless you provisioned them.
>
>> Is anyone aware of a way to do this?
>
> Not without writing code, and in that case there are probably a dozen ways, writing a JAAS module being probably the simplest.
No, if I understand what Yan is asking, don't think that's going to be an easy option. I assume this means accounts in Azure AD, which is an IdP in its own right. As this states:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/
it will talk the SAML, WS-Federation, or OpenID Connect protocols, and you'd need a SAML SP/OpenId Connect client authentication handler. So you either figure you now have two IdPs, one for staff and one for students, or you need to do or find the code to extend the Shib IdP.
--
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://shibboleth.net/pipermail/users/attachments/20160519/1b2b18e3/attachment.sig>
More information about the users
mailing list