Office 365 App Registration Strange issue on Mac

Fri Aug 4 02:26:52 EDT 2017

Hi Scott,

Thanks for the reply

For below "SAML2.SSO" i want to dynamically set the
p:authenticationFlows,Shibcas for all the OS except mac and Password flow
for Mac

I had a look
https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration#RelyingPartyConfiguration-OverridingDefaultSettingsDynamically3.3

but cannot see any sample, with deals with servlet request etc....

Any other sample or guidance appreciated, so that I can have head start.
  can we do inline.?

Also can you give some reference on 'CAS support in the IdP' eventhough I
consider it as not practical, because our current CAS page initiates other
pwd management flows in addition to the authentication.

 <bean parent="RelyingPartyByName"
 c:relyingPartyIds="urn:federation:MicrosoftOnline">
            <property name="profileConfigurations">
                <list>
         <bean parent="SAML2.SSO" p:encryptAssertions="false"
p:signAssertions="true" p:signResponses="false" p:encryptNameIDs="false"
p:authenticationFlows="#{{'Shibcas'}}" />
         <bean parent="SAML2.ECP" p:encryptAssertions="false"
p:signAssertions="true" p:signResponses="false"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
p:authenticationFlows="#{{'Password'}}"  />
                </list>
            </property>
        </bean>

Thanks

On Fri, Aug 4, 2017 at 9:15 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/3/17, 6:35 PM, "users on behalf of Lalith Jayaweera" <
> users-bounces at shibboleth.net on behalf of ljayaweera at gmail.com> wrote:
>
> > If we change this SP to use Password flow, they will be presented with
> the IDP login screen, not CAS login screen hence it is not
> > SSO and user experience will be different.
>
> I forgot that all the O365 traffic would be handled the same way. I should
> also say that our people at OSU refused to use Shibboleth for O365 and are
> using ADFS, so we have two experiences now, no SSO, and the world didn't
> exactly end. Nobody much cares based on the reaction so far.
>
> Or you could use the CAS support in the IdP. There is little sense in
> running two systems at this point in their mutual evolution.
>
> However...
>
> > So my question is, given this is only happening in Mac, at least to
> narrow down the issue, within the relying party, is there any way
> > to detect whether request from Mac etc (possibly via userAgent or by
> othermeans) and direct to the Password Flow, I don't
> > think any need of SSO for this particular function where all happening
> inside a embedded window.
>
> I don't know what you could detect reliably or not, but if you want to
> dynamically derive the value of the authenticationFlows property at runtime
> to limit when it flips over the "Password", yes, you can do that. That's
> documented with examples in the wiki in the page on
> RelyingPartyConfiguration under "Overriding Default Settings Dynamically".
> Functions/scripts deriving settings can be given access to the servlet
> request object as a custom object and from there do user agent evaluation,
> etc.
>
> > As a side note, I am going to query(raise an incident) Microsoft about
> this particular behavior happening inside Embedded UI
> > view, however I might not have a answer if they ask, what exactly the
> cookies you think missing etc.
>
> The only person who could answer that is you because you are the one with
> access to the affected systems and the access to trace the traffic
> sequence. Usually even Firefox and LiveHeaders alone are good enough to
> spot cookies dropping.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170804/e93b6702/attachment.html>