Shib v4 hybrid proxying via Azure AD
Goggins, Patrick
gogginsp at uwgb.edu
Wed Mar 3 22:02:49 UTC 2021
The azureName attribute ended up returning null, still not sure why. Ended up switching over to the azureEmailaddress attribute as the values where both keying off of the same user.userprincipalname value within AAD.
With a hybrid deployment, we opted to do a minimal release (UPN only) and also skipped the exportAttributes option on the DataConnector to further reduce the release.
The only other issue we has with was the LDAP connector failing which needed the FilterTemplate update to be “UserPrincipalName=$resolutionContext.principal”.
Patrick Goggins
Senior Network/Systems Administrator
............................................................................................
Division of Information Technology
University of Wisconsin – Green Bay
From: Chris Phillips <Chris.Phillips at canarie.ca>
Sent: Wednesday, March 3, 2021 3:02 PM
To: Shib Users <users at shibboleth.net>
Cc: Jeffrey Williams <jfwillia at uncg.edu>; Goggins, Patrick <gogginsp at uwgb.edu>
Subject: Re: Shib v4 hybrid proxying via Azure AD
Hi..
Thanks for call outs by others on this for Patrick G..
Jeffrey’s items are now updated in the wiki How-to page which were
* In Trust Task 3: added in additional metadata steps to add in the shibmd:scope element and the XML NameSpace item for it
* In Task 4, the Canonicalization step, the action to uncomment the bean to trigger the PostLoginSubjectCanonicalizationFlows.
Patrick G: Check those steps against what you have and hope that can unlock your problem.
Thanks to the others who are adding in their insight too and why we published the solution on the Shib wiki..
Chris
From: "users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of SHIB-USERS <users at shibboleth.net<mailto:users at shibboleth.net>>
Reply-To: SHIB-USERS <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Monday, March 1, 2021 at 5:22 PM
To: SHIB-USERS <users at shibboleth.net<mailto:users at shibboleth.net>>
Cc: Jeffrey Williams <jfwillia at uncg.edu<mailto:jfwillia at uncg.edu>>
Subject: Re: Shib v4 hybrid proxying via Azure AD
Anybody doing this should read the excellent page that Chris Phillips and the Canadian Access Federation added to the Shib wiki about doing this:
https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
I was going to write up a page, but they pointed me to the work they had in progress, and it really covers everything you need to know and be aware of when doing this.
That'd be the one I was referring to! Good stuff, but I did run into a few things that were not in the docs. Chris and I have emailed about it recently.
--
Jeffrey Williams
Identity & Access Engineer
Identity & Access Services
https://its.uncg.edu
[Image removed by sender.]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210303/6c025b82/attachment.htm>
More information about the users
mailing list