cas with o365

180 views
Skip to first unread message
Assigned to avera...@gmail.com by me

Alfonso Veraluz

unread,
Jul 2, 2019, 10:38:53 AM7/2/19
to CAS Community
Hello.

I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and connected to a OpenLdap so my users can login with the uid and the mail. 
This CAS is actually providing SSO between Alfresco and Liferay.

I want to add the SSO with Office365 but only for a particular public domain and there are some questions:

1.- What FederationMetadata.xml is needed to provide in CAS, the one in https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml or the one with my EntityID provided from the Portal Azure Admin section?
2.- How to map the mail in the OpenLdap to be the same at O365 account? It's suposed the idp will map in the cas.samlSp.office365.attributes?

adding this to my cas.properties should be enough?  

 cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
 cas.samlSp.office365.description=Office365 Integration
 cas.samlSp.office365.nameIdAttribute=scopedImmutableID
 cas.samlSp.office365.attributes=IDPEmail,ImmutableID

Thanks your comments.

Robert Bond

unread,
Jul 2, 2019, 10:51:03 AM7/2/19
to CAS Community

You need to have an immutableId that is shared with Office365 through your import process. This can be almost anything just cannot be changed on the o365 side. Typically people use the account guid from their directory server. 

You can use the integration like how you are currently or below is my service for office 365. 

Do you have the attributes 'scopedImmutableID,IDPEmail,ImmutableID' being imported into the cas attribute repository from your openldap? 

Service for office365:

{
"id" : 23,
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"evaluationOrder" : 23,
"metadataExpirationDuration" : "PT60M",
"signAssertions" : false,
"skipGeneratingAssertionNameId" : false,
"skipGeneratingSubjectConfirmationInResponseTo" : false,
"skipGeneratingSubjectConfirmationNotOnOrAfter" : false,
"skipGeneratingSubjectConfirmationRecipient" : false,
"skipGeneratingSubjectConfirmationNotBefore" : true,
"signResponses" : true,
"encryptAssertions" : false,
"metadataCriteriaRoles" : "SPSSODescriptor",
"metadataCriteriaRemoveEmptyEntitiesDescriptors" : true,
"metadataCriteriaRemoveRolelessEntityDescriptors" : true,
"signingCredentialType" : "BASIC",
"serviceId" : "urn:federation:MicrosoftOnline",
"name" : "office365",
"description" : "Office 365",
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "ImmutableId",
"canonicalizationMode" : "NONE",
"encryptUsername" : false
},
"logoutType" : "BACK_CHANNEL",
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}

sadf

Robert Bond

unread,
Jul 2, 2019, 11:06:44 AM7/2/19
to CAS Community

Let me know if the below makes since. 

For the integration you need to pass the attributes as follows:

cas.samlSP.office365.description=O365 Integration
cas.samlSP.office365.nameIdAttribute=Something from your openldap that does not change. like objectguid in Active Directory. need to sync this to o365 as the immuatbleId
cas.samlSP.office365.attributes=mail 'from your openldap', objectguid 'your immutableId again'


On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:

Alfonso Veraluz

unread,
Jul 2, 2019, 11:59:35 AM7/2/19
to CAS Community
Thanks for the reply Robert Bond!

So if I understand this: 
 1) I have to add an objectclass like the uidObject to have a uid parameter at the OpenLdap for each user in the ldap. This parameter doesn't have to change for the user never.
 2) Configure the cas.properties like yours with the parameter from the ldap:

 cas.samlSp.office365.description=Office365 Integration
 cas.samlSp.office365.nameIdAttribute=uid
 cas.samlSp.office365.attributes=mail,uid
 3) Configure the service like yours:

{
    "id" : 23,
    "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
    "evaluationOrder" : 23,
    "metadataExpirationDuration" : "PT60M",
    "signAssertions" : false,
    "skipGeneratingAssertionNameId" : false,
    "skipGeneratingSubjectConfirmationInResponseTo" : false,
    "skipGeneratingSubjectConfirmationNotOnOrAfter" : false,
    "skipGeneratingSubjectConfirmationRecipient" : false,
    "skipGeneratingSubjectConfirmationNotBefore" : true,
    "signResponses" : true,
    "encryptAssertions" : false,
    "metadataCriteriaRoles" : "SPSSODescriptor",
    "metadataCriteriaRemoveEmptyEntitiesDescriptors" : true,
    "metadataCriteriaRemoveRolelessEntityDescriptors" : true,
    "signingCredentialType" : "BASIC",
    "serviceId" : "urn:federation:MicrosoftOnline",
    "name" : "office365",
    "description" : "Office 365",
    "usernameAttributeProvider" : {
        "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
        "usernameAttribute" : "uid",
        "canonicalizationMode" : "NONE",
        "encryptUsername" : false
    },
    "logoutType" : "BACK_CHANNEL",
    "accessStrategy" : {
        "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
        "enabled" : true,
        "ssoEnabled" : true
    }
}

And now how can be tested properly? Because from the O365 side they don't know that I have made changes from my local CAS to allow the login with my TGC. 

Let me know if I'm approaching to the right path!


Thanks for your comments.

Robert Bond

unread,
Jul 2, 2019, 12:08:21 PM7/2/19
to CAS Community
Yep, you also need to add the uid as the ImmutableId on creation of the accounts in office365. How are you syncing users to office365? 
To set the ImmutableId on a user via powershell:
Set-MsolUser -UserPrincipalName as...@example.com L -ImmutableId 71cfd66c-2c72-43ee-a88e-8e29458eb3b0

On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:

Robert Bond

unread,
Jul 2, 2019, 5:41:11 PM7/2/19
to CAS Community

Were you able to complete the setup?

Thanks!

On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:

casuser

unread,
Jul 2, 2019, 9:34:17 PM7/2/19
to CAS Community
Hi Robert,

I am also facing the same issue, I just what to know the steps I need to follow from the office 365 side. I have configured cas for office 365 but not sure about the steps in the office 365 part

Alfonso Veraluz

unread,
Jul 3, 2019, 6:19:51 AM7/3/19
to CAS Community
Hello Robert

Users from the openLdap and from the O365 are not synced at all at the moment. It's supossed to achive this with the Azure AD Connect but this means a new server on Windows and seems the only option it may fit is with the Passthrough option (https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta) . Not sure about it and i can test it but will require some time to build and configure it. This can be achieved via powershell?

As @casuser, the steps to be done in the O365 are not very clear in the documentation

Thanks 

Robert Bond

unread,
Jul 3, 2019, 10:26:36 AM7/3/19
to cas-...@apereo.org
If you do not want to use Azure AD Connect you can create a process to sync via powershell. I have an example on my github: https://github.com/bondr007/office365UserSync it consumes a csv and does some querys to AD. It could be modified for openldap. 

The steps to actually enable SSO on office are hard to find, It has to be done via powershell. Here is what I used:

Here are the specific settings I used when configuring office 365 federation with cas.
ActiveLogOnUri                         :
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    :
IssuerUri                              : https://logon.example.com/cas/idp
LogOffUri                              : https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
MetadataExchangeUri                    :
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        : https://logon.example.com/cas/idp/profile/SAML2/POST/SSO

Let me know if that helps.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ba8f0f-fee3-4bcb-a154-d2345360178d%40apereo.org.


--
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

Robert Bond

unread,
Jul 8, 2019, 9:28:10 AM7/8/19
to CAS Community
Were you able to complete the o365 setup with cas?

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Robert Bond

unread,
Jul 8, 2019, 11:23:36 AM7/8/19
to CAS Community
Neat tip for anyone using cas with Office 365. You can have Microsoft automatically redirect to your cas login by using a link like the below:

Alfonso Veraluz

unread,
Jul 8, 2019, 12:28:18 PM7/8/19
to CAS Community
Hello.

No. I made an advance adding values like to the inmutableId in the 365 users but after that:
 1) I can login to Cas but it doesn't login on the login.microsoftonline.com
 2) I can login in login.microsoftonline.com but doesn't sso with my Cas. 

It's just both systems are not connected after all.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Robert Bond

unread,
Jul 9, 2019, 3:30:49 PM7/9/19
to CAS Community
Have you switched office 365 over to use federated login via the Set-MsolDomainAuthentication powershell command?

Łukasz Woźniak

unread,
Jul 10, 2019, 4:21:48 AM7/10/19
to cas-...@apereo.org
Hi,

I was integrated with o365 but on OPENID on version 5.2.x but this version has poor support for integration with o365. Try too use version 5.3.x or if You can 6.0.x. In version 5.2.x is problem that O365 don't support redirect url with parameter, and CAS generate url with parameter version 5.3.x fixed that.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/06795e7f-0940-4315-b8ca-c11fe9e0beca%40apereo.org.
Reply all
Reply to author
Forward
0 new messages