O365 Federation and error AADSTS50107: Requested federation realm object
1,684 views
Skip to first unread message
PJ
Nov 14, 2016, 5:18:19 AM11/14/16
to SimpleSAMLphp
Hello,
I'm trying to use SimpleSAMLPhp as IDP with my O365 test tenant but I fail to login with a test account.
IDP certificate for web server and in cert directory are issued by Letsencrypt
IDP works with an SimpleSAMLPhp SP
Here is my configuration:
## Commands used to declare federation
$dom = "xxx.fr"
$BrandName = "XXXXX"
$LogOnUrl = "https://idp.xxx.fr/saml2/idp/SSOService.php"
$LogOffUrl = "https://idp.xxx.fr/saml2/idp/SingleLogoutService.php"
$MyURI = "urn:uri:XXXIDP"
$MySigningCert ="MIIEVDCCAzyg..."
$Protocol = "SAMLP"
Set-MsolDomainAuthentication ` -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $MyURI -SigningCertificate $MySigningCert -IssuerUri $uri -LogOffUri $url -PreferredAuthenticationProtocol $Protocol
## Commands used to declare user (E3 test license set using the O365 interface)
New-MsolUser `
-UserPrincipalName smi...@xxx.fr
-ImmutableId ABCDEFG1234567890
-DisplayName "Smileys"
-FirstName LotOf
-LastName Smileys
-AlternateEmailAddresses "smi...@xxx.fr"
-UsageLocation "FR"
## authsources.php
<?php
$config = array(
'default-sp' => array(
'saml:SP',
'entityID' => null,
'idp' => null,
'discoURL' => null,
),
'example-userpass' => array(
'exampleauth:UserPass',
'smileys:xxxxxxx' => array(
'uid' => array('ABCDEFG1234567890'),
'IDPEmail' => array('smi...@xxx.fr'),
'Issuer' => array('https://idp.xxx.fr/saml2/idp/metadata.php'),
),
),
);
## saml20-sp-remote.php
<?php
$metadata['urn:federation:MicrosoftOnline'] = array (
'entityid' => 'urn:federation:MicrosoftOnline',
'simplesaml.nameidattribute' => 'uid',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://login.microsoftonline.com/login.srf',
'index' => 0,
'isDefault' => true,
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
'Location' => 'https://login.microsoftonline.com/login.srf',
'index' => 1,
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',
'Location' => 'https://login.microsoftonline.com/login.srf',
'index' => 2,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://login.microsoftonline.com/login.srf',
),
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'authproc' => array(
3 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'uid',
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIDYDCCAkigAwIBAgIJALLJPAyvf2sjMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xNDA3MTgxOTUz
NDBaFw0xOTA3MTcxOTUzNDBaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
bmcgUHVibGljIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYD
KgByFZdqtTnnpF4IfIp4i2XLg2rLIo+mu4DmW9gRLlBJCNc7YESUxpKzuFYaANd8
fWsDigJZTXbhOQApSpw4xXFnor2vJ1zm94LtqjcVEXTjUml5gAIS4pwuOU3ZfO/0
eTG0gDYp4a0L/mzzTRsnwe/8WMPIE75Bq2zAyAZ9aePvl3QX7cXYLPfeK4QTgK3B
5lwe1wWu3y5oQidjcSok8Frf80xzuCYuOa+ZUK3JibpLLCrT4uwiqf+KREDSdc4b
PPlq0PWI4sQr1tha8yypRSvOH+/MxcfSRSnl6Uc+gm8nVEEWWIu4hhu6NIfG91mM
UqJuzkgLCi6Gov6JS8UCAwEAAaOBijCBhzAdBgNVHQ4EFgQUnQoq7sI3R8rde4sQ
s6nGEbJm3LcwWQYDVR0jBFIwUIAUnQoq7sI3R8rde4sQs6nGEbJm3LehLaQrMCkx
JzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJALLJPAyv
f2sjMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEAf4jaNhKzRG3k+52W
oM9nnISP7rlWIeWwH6EQGUlF6ozSP/03gYMAdqpdhww5zNwKzi7TQVbDC0pgq/tq
zHv6JEI0R4B6h7/TJ1pYPxdvIFQrE27RHESltH/m+5UkVnayLqRD3/fi4zf4aEpx
SDZ73MCR5LanPGqvlAMz29AL3g1ynj+eu7xMfFsM/8+qJaCXuxT5/30eeLEe+PYi
kA/PhEwp+qkDQWPvdAwEghuUaFvtKAgDZierjpGzHZnYkXTTDTHVe1iP7tsAJH5q
K3qdcv3UGPyZrjC/lietJcAcnwVoZQ93v2ieGfcKKN+PFN9M59/BkPo62HPoGNNx
2ZDQaQ==',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIDYDCCAkigAwIBAgIJAKLDsqkylLefMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xNDEwMTAxODE2
MTNaFw0xOTEwMDkxODE2MTNaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
bmcgUHVibGljIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7A
3m6uvOxEsX+NlB1hnflaR8DJj597wY3qyh/FX4O6rKvU2leAfINmBWcjEFApCKi9
p5uIaZpNlDpPQ+R3BaZx+4NhHbOMpeWlpIiZHL61lwbulzurffUPhtzQNHAVzOBk
ZsOgN9BD/hOleU//d+IXz08ateUb3Ip2vyaodilYQDDi5M9yOhanv1cO1Usjo2xT
LfiK+TVygu+8bo+/8JHGPRy6pnghng970DRBDkVrKzozlrnmMesdSrtuCnsgyRbE
XckxaQ8S2nDYyFqBI0PkcBW8+0akdFWW58Os5cGbPFeHi6vtZCR5pWw5pnqtuoip
rdk9jg1axT3vwu+RVdcCAwEAAaOBijCBhzAdBgNVHQ4EFgQUBjNylGJBvkAY/4yI
IoD00R6p5hIwWQYDVR0jBFIwUIAUBjNylGJBvkAY/4yIIoD00R6p5hKhLaQrMCkx
JzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAKLDsqky
lLefMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEAQGZUlJ3zzJvy1OLd
tV3NTYHlbVHm3Fty17xqW9Ui8GE8sEWeUdHA6eURNNpNpd+gAGC6Tp+k+cU1LlPw
Xm7BAATJ/2DjY8tzRc6r6EneQWRkIa8xpbvknXvUml6iFgo2ofOWLaFk6XpQ64MA
O35wv9XEARNabJ9wJSRSevUigAx2U2GvaorV5PgqHImiKTSrL0K6j8B4OqXWUqP0
KGf7pCdGlrq2XEl95N2zj8n/scvA9JasImztsVlZ+WxeF+OAMvWQQFc54gC6lwWc
8kno8vPn3lwxVkTU0o9wcHnOhNi2hzVDV85sz7P9dOZYF73uy1uLshdjCcwlmQ2l
A9OV9w==',
),
),
'saml20.sign.assertion' => true,
);
Enrico Cavalli
Nov 14, 2016, 5:44:52 AM11/14/16
to simple...@googlegroups.com
I very recently tested an office365 federation (but I do not know anything from MS side, it’s managed by other people).
This works for the idp side:
$metadata['urn:federation:MicrosoftOnline'] = array (
'entityid' => 'urn:federation:MicrosoftOnline',
….
'attributes' => array('IDPEmail', 'ImmutableID'),
'attributes.NameFormat' => "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
'authproc' => array(
32 => array(
'class' => 'core:AttributeMap',
'objectGUID' => 'ImmutableID',
),
36 => array(
'class' => 'core:AttributeMap',
'googlemail' => 'IDPEmail',
),
),
// Send ImmutableID as a "persistent" NameID
…..
ObjectGUID is fetched from active directory and users are syncronized from AD with MS tools
I still have to figure out a way to do the same with other users stored in an LDAP backend, but I guess
it is sufficient to have a map from entryUUID ….
Best regards,
Enrico.
--
Enrico Cavalli - enrico....@gmail.com
jabber: enrico....@gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
This works for the idp side:
$metadata['urn:federation:MicrosoftOnline'] = array (
'entityid' => 'urn:federation:MicrosoftOnline',
'attributes' => array('IDPEmail', 'ImmutableID'),
'attributes.NameFormat' => "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
'authproc' => array(
32 => array(
'class' => 'core:AttributeMap',
'objectGUID' => 'ImmutableID',
),
36 => array(
'class' => 'core:AttributeMap',
'googlemail' => 'IDPEmail',
),
),
// Send ImmutableID as a "persistent" NameID
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'ImmutableID’,
…..
ObjectGUID is fetched from active directory and users are syncronized from AD with MS tools
I still have to figure out a way to do the same with other users stored in an LDAP backend, but I guess
it is sufficient to have a map from entryUUID ….
Best regards,
Enrico.
--
Enrico Cavalli - enrico....@gmail.com
jabber: enrico....@gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
GALAMBOS Daniel
Nov 14, 2016, 7:44:04 AM11/14/16
to simple...@googlegroups.com
As long it looks like a ms guid, it seems to be okay.
We generate it on the fly (solution from the hungarian eduid wiki)
Maybe not the best solution, but it works.
$metadata['urn:federation:MicrosoftOnline'] = array(
'entityid' => 'urn:federation:MicrosoftOnline',
// Expose both required attributes
'authproc' => array(
31 => array(
'class' => 'core:PHP',
'code' => '
$eppn = $attributes["eduPersonPrincipalName"][0];
$chunks = str_split(md5($eppn), 4);
$attributes["ImmutableID"][0] = vsprintf("%s%s-%s-%s-%s-%s%s%s",
$chunks);
We generate it on the fly (solution from the hungarian eduid wiki)
Maybe not the best solution, but it works.
$metadata['urn:federation:MicrosoftOnline'] = array(
'entityid' => 'urn:federation:MicrosoftOnline',
'attributes' => array('IDPEmail', 'ImmutableID'),
'attributes.NameFormat' =>
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
// Configure attribute mapping and ImmutableID generation
'attributes.NameFormat' =>
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
'authproc' => array(
31 => array(
'class' => 'core:PHP',
'code' => '
$eppn = $attributes["eduPersonPrincipalName"][0];
$chunks = str_split(md5($eppn), 4);
$attributes["ImmutableID"][0] = vsprintf("%s%s-%s-%s-%s-%s%s%s",
$chunks);
',
),
36 => array(
'class' => 'core:AttributeMap',
'mail' => 'IDPEmail',
),
36 => array(
'class' => 'core:AttributeMap',
),
),
// Send ImmutableID as a "persistent" NameID
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'ImmutableID',
//...
),
// Send ImmutableID as a "persistent" NameID
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'ImmutableID',
Enrico Cavalli
Nov 14, 2016, 7:50:33 AM11/14/16
to simple...@googlegroups.com
Il giorno 14 nov 2016, alle ore 13:43, GALAMBOS Daniel <dan...@dancsa.hu> ha scritto:As long it looks like a ms guid, it seems to be okay.
We generate it on the fly (solution from the hungarian eduid wiki)
Initially I tried that solution but it does not work if user provisioning on the Office365 side is done
by the tools provided by microsoft to synchronise Active Directory (or at least does not work in the setup that I had to work with).
If I understand correctly it is up to the tool that provisions users to Azure cloud to “build” this identifier.
So I suppose that the solution proposed by the Hungarian colleagues works if users are provisioned with this ID in mind.
Do you have any pointer or suggestion?
Thank you,
Daniel Galambos
Nov 19, 2016, 5:56:20 PM11/19/16
to simple...@googlegroups.com
Hi.
I'm sorry, i missed that point, that in our case there is a third party
in the story. In our o365 cloud, the user logs in once on a special
website that does the provisioning to the cloud, after this, the user
can login to the M$. (That 3rd party website is a blackbox to us, it
runs outside our uni, so i completely forgot about it even though i
helped with the testing)
So It is possible, that website does some powershell magic in the
background, but unfortunately I don't know the solution for your problem.
2016.11.14. 13:50 keltezéssel, Enrico Cavalli írta:
>
>> Il giorno 14 nov 2016, alle ore 13:43, GALAMBOS Daniel
>> <dan...@dancsa.hu <mailto:dan...@dancsa.hu>> ha scritto:
> jabber: enrico....@gmail.com <mailto:enrico....@gmail.com>
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To post to this group, send email to simple...@googlegroups.com
> <mailto:simple...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
I'm sorry, i missed that point, that in our case there is a third party
in the story. In our o365 cloud, the user logs in once on a special
website that does the provisioning to the cloud, after this, the user
can login to the M$. (That 3rd party website is a blackbox to us, it
runs outside our uni, so i completely forgot about it even though i
helped with the testing)
So It is possible, that website does some powershell magic in the
background, but unfortunately I don't know the solution for your problem.
2016.11.14. 13:50 keltezéssel, Enrico Cavalli írta:
>
>> Il giorno 14 nov 2016, alle ore 13:43, GALAMBOS Daniel
>>
>> As long it looks like a ms guid, it seems to be okay.
>>
>> We generate it on the fly (solution from the hungarian eduid wiki)
>
> Initially I tried that solution but it does not work if user
> provisioning on the Office365 side is done
> by the tools provided by microsoft to synchronise Active Directory (or
> at least does not work in the setup that I had to work with).
>
> If I understand correctly it is up to the tool that provisions users to
> Azure cloud to “build” this identifier.
> So I suppose that the solution proposed by the Hungarian colleagues
> works if users are provisioned with this ID in mind.
>
> Do you have any pointer or suggestion?
>
> Thank you,
> Enrico.
>
>
> --
> Enrico Cavalli - enrico....@gmail.com <mailto:enrico....@gmail.com>
>> As long it looks like a ms guid, it seems to be okay.
>>
>> We generate it on the fly (solution from the hungarian eduid wiki)
>
> Initially I tried that solution but it does not work if user
> provisioning on the Office365 side is done
> by the tools provided by microsoft to synchronise Active Directory (or
> at least does not work in the setup that I had to work with).
>
> If I understand correctly it is up to the tool that provisions users to
> Azure cloud to “build” this identifier.
> So I suppose that the solution proposed by the Hungarian colleagues
> works if users are provisioned with this ID in mind.
>
> Do you have any pointer or suggestion?
>
> Thank you,
> Enrico.
>
>
> --
> jabber: enrico....@gmail.com <mailto:enrico....@gmail.com>
> skype: enricocavalli
> PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
>
> --
> PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5
>
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To post to this group, send email to simple...@googlegroups.com
> <mailto:simple...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Nate Klingenstein
Nov 20, 2016, 8:34:54 PM11/20/16
to simple...@googlegroups.com
The attribute mapping and provisioning requirements here are unique to
Windows Azure. You'll need to fulfill the matching rules that they've
implemented, but it's up to you how you would like to do so.
It's like this because provisioning never got standardized and
Microsoft invented their own attributes on the wire.
Even better, they've got some WS-SignOn protocol they invented in
addition to spotty SAML support and the skeleton of OAuth, so there's
not much I can point to in terms of standards in use, either.
This article may help, though.
http://mstechtalk.com/understand-and-modify-office365-users-immutableid/
Sorry for not having a response here sooner. I need to subscribe with
my other addresses.
Windows Azure. You'll need to fulfill the matching rules that they've
implemented, but it's up to you how you would like to do so.
It's like this because provisioning never got standardized and
Microsoft invented their own attributes on the wire.
Even better, they've got some WS-SignOn protocol they invented in
addition to spotty SAML support and the skeleton of OAuth, so there's
not much I can point to in terms of standards in use, either.
This article may help, though.
http://mstechtalk.com/understand-and-modify-office365-users-immutableid/
Sorry for not having a response here sooner. I need to subscribe with
my other addresses.
Reply all
Reply to author
Forward
0 new messages