Office 365 Multi-Domain

Matt Brennan brennanma at gmail.com
Tue Jul 28 02:51:17 UTC 2020 

Thanks for the reply Scott. I was already running 4.0.1. I was able to use
some of the previous posts I mentioned, along with your guidance above, to
implement a responderIdLookupStrategy that works. It was far simpler than
it looked and I feel stupid for even asking now.

Of course I agree with your assessment that this is a defect;
unfortunately, Microsoft seems to disagree. I generally find that 95% of
the time I tell an SP they've done something incorrectly, they tell me I
don't know what I'm talking about. I send them copies of standards, they
refer me to other "industry standard" implementations that are incorrect.
Anyway, I'm preaching to the choir.

Thanks again
-Matt

P.S. In case anyone else finds this thread later and wants to know what I
did:

-- in relying-party.xml:
  <util:map id="microsoftOnlineRespondersIdMap">
    <entry key="default" value="%{idp.entityID}" />
    <entry key="domain2.com" value="%{idp.entityID}/domain2.com" />
  </util:map>

  <bean id="microsoftOnlineResponderIdScript"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="customObjectsMicrosoftOnlineResponderIdScript">
    <constructor-arg>
      <value>
        <![CDATA[
          //Get the requested domain
          requestedResponder =
custom.httpServletRequest.getParameter('domain');
          if
(custom.microsoftOnlineRespondersIdMap.containsKey(requestedResponder)){
            responderId =
custom.microsoftOnlineRespondersIdMap.get(requestedResponder);
          } else {
            responderId =
custom.get('microsoftOnlineRespondersIdMap').get('default');
          }
          responderId;
        ]]>
      </value>
    </constructor-arg>
  </bean>

    <bean parent="RelyingPartyByName"
c:relyingPartyIds="urn:federation:MicrosoftOnline">
      <property name="responderIdLookupStrategy">
        <ref bean="microsoftOnlineResponderIdScript" />
      </property>
    </bean>

-- In Powershell:
$dom = "domain2.com”
$brand = "domain.com"
$url = "https://idp.domain.com/idp/profile/SAML2/POST/SSO?domain=domain2.com
"
$ecpUrl = "
https://idp.domain.com/idp/profile/SAML2/SOAP/ECP?domain=domain2.com"
$uri = "https://idp.domain.com/idp/shibboleth/domain2.com"
$logouturl = "https://www.domain.com/"
$cert = "<cert-data>"

Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $brand
-Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert
-IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl
-PreferredAuthenticationProtocol SAMLP

On Mon, Jul 27, 2020 at 1:52 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 7/27/20, 1:13 PM, "users on behalf of Matt Brennan" <
> users-bounces at shibboleth.net on behalf of brennanma at gmail.com> wrote:
>
> >    TL;DR: Is there a guide somewhere on how to do this properly?
>
> Well, step one is filing a bug, because this is ridiculous.
>
> That aside, the way to do it is:
>
> 1. Upgrade, because it's not supported In V3.
> 2. A responderIdLookupStrategy, in some form. I can't give you a script
> because I have no idea on what basis the value would be derived, but the
> script should NOT need to do a ton of work. It certainly does not need to
> resolve attributes or anything like that.
> 3. Configuring the context-check interceptor to signal back the event
> "UpdateSecurityParameters" when this needs to happen. This will cause the
> system to re-derive various settings, including the entityID, to update the
> outgoing message.
>
> #3 is not (well) documented, it was implemented [1] at SWITCH's request as
> a supported way to get all the internals to update without having to mess
> around with them and break abstraction. It's mentioned very briefly in [2].
> I'll try and put a mention of it in the context-check topic.
>
> -- Scott
>
> [1] https://issues.shibboleth.net/jira/browse/IDP-1238
> [2] https://wiki.shibboleth.net/confluence/display/IDP4/ProfileHandling
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200727/98cded8e/attachment.htm>

More information about the users mailing list