-
Into
conf/relying-party.xml
, under<util:list id="shibboleth.RelyingPartyOverrides">
, add the following<bean>
:<bean id="Office365" parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" /> <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </list> </property> </bean>
-
Into
conf/saml-nameid.xml
, inside the<util:list id="shibboleth.SAML2NameIDGenerators">
list, insert:<!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!--<ref bean="shibboleth.SAML2PersistentGenerator" />--> <!-- Release Persistent NameID to all but not to MicrosoftOnline--> <bean parent="shibboleth.SAML2PersistentGenerator"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" /> </constructor-arg> </bean> </property> </bean> <!-- Microsoft custom Persistent ID Generator --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" p:attributeSourceIds="#{ {'ImmutableID'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" /> </property> </bean>
-
Into
conf/attribute-resolver.xml
, create the following<AttributeDefinition>
to be able to generate the ImmutableID (ImmutableID
) attribute and the User ID (UserId
) scoped attribute starting from theuid
attribute (uid
andobjectGUID
must be part of theexportAttributes
list on theldap.properties
configuration file)<!-- Microsoft Office365 - Azure AD ImmutableID & User ID --> <AttributeDefinition xsi:type="Simple" id="ImmutableID"> <InputDataConnector ref="myLDAP" attributeNames="objectGUID"/> </AttributeDefinition> <AttributeDefinition scope="%{idp.scope}" xsi:type="Scoped" id="UserId"> <InputDataConnector ref="myLDAP" attributeNames="uid"/> </AttributeDefinition>
-
Create
conf/attributes/custom/ImmutableID.properties
as follow (the example considers italian and english languages only):# Azure AD ImmutableID (objectGUID) id=ImmutableID transcoder=SAML2StringTranscoder displayName.en=Azure AD ImmutableID displayName.it=Azure AD ImmutableID description.en=Azure AD ImmutableID description.it=Azure AD ImmutableID saml2.name=urn:oid:1.2.840.113556.1.4.2 saml1.encodeType=false
-
Create
conf/attributes/custom/UserId.properties
as follow (the example considers italian and english languages only):# Azure AD User ID id=UserId transcoder=SAML2ScopedStringTranscoder displayName.en=Azure AD User ID displayName.it=Azure AD User ID description.en=Azure AD User ID description.it=Azure AD User ID saml2.name=urn:oid:0.9.2342.19200300.100.1.1 saml1.encodeType=false
-
Create Office 365 metadata:
wget https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml -O /opt/shibboleth-idp/metadata/office365-md.xml
(and remove the NameIDFormat "
unspecified
" or the relase NameID will be always "transient
") -
Into
conf/metadata-providers.xml
add the Office 365 metadata:<MetadataProvider id="Office365" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/office365-md.xml"/>
-
Into
conf/attribute-filter.xml
, configure the attribute release:<!-- Attribute Filter Policy for Microsoft Office365/Azure --> <AttributeFilterPolicy id="PolicyForWindowsAzureAD"> <PolicyRequirementRule xsi:type="Requester" value="urn:federation:MicrosoftOnline" /> <!-- Release userPrincipalName as Azure AD User ID --> <AttributeRule attributeID="UserId"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- Release Immutable ID to Azure AD --> <AttributeRule attributeID="ImmutableID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>
-
Test with AACLI:
bash /opt/shibboleth-idp/bin/aacli.sh -n <REPLACE_WITH_USERNAME_IDP> -r urn:federation:MicrosoftOnline --saml2
If the Shibboleth IdP returns an error like:
WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:334] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy
try to run AACLI for the Microsoft resource:
bash /opt/shibboleth-idp/bin/aacli.sh -n <USERNAME> -r urn:federation:MicrosoftOnline --saml2
by replacing <USERNAME>
with the username of a real user.
This will help to discover what kind of NameID the IDP is releasing to the SP.
If the NameID released is the transient
one, check the Microsoft SP metadata and remove the transient
<md:NameIDFormat>
element from it before trying again.