Is anyone using the simplesaml adfs module successfully as IDP for office 365?
219 views
Skip to first unread message
foobarableful
Jan 8, 2020, 5:49:55 AM1/8/20
to SimpleSAMLphp
What I am trying to do
I am trying to use https://github.com/simplesamlphp/simplesamlphp-module-adfs as IDP (for connecting to Office365), so I won't need to setup an ADFS next to our SimpleSamlphp SAML2.0 IDP.
Currently it looks like noone is using this module in IDP configuration at all. 2 Minutes after trying to work out how to configure the module I discovered a very obvious bug (www/assets/js/postReponse.js -> www/assets/js/postResponse.js, will create a MR for it) which made me doubt that anyone uses this in production.
So my question is: Is it save to assume that this module should not used for any production installation of SSP? If not I could use some hints on how to configure it to use it as IDP for office.com.
What have I done so far?
My current idp configuration looks like this:
var/simplesamlphp# cat metadata/adfs-idp-hosted.php
<?php
$metadata['__DYNAMIC:1__'] = [
'host' => '__DEFAULT__',
'privatekey' => 'saml.key',
'certificate' => 'saml.crt',
'auth' => ad-test',
'authproc' => [
// Convert LDAP names to WS-Fed Claims.
100 => ['class' => 'core:AttributeMap', 'name2claim'],
],
'redirect.sign' => true,
'sign.logout' => true,
),
];
<?php
$metadata['__DYNAMIC:1__'] = [
'host' => '__DEFAULT__',
'privatekey' => 'saml.key',
'certificate' => 'saml.crt',
'auth' => ad-test',
'authproc' => [
// Convert LDAP names to WS-Fed Claims.
100 => ['class' => 'core:AttributeMap', 'name2claim'],
],
'redirect.sign' => true,
'sign.logout' => true,
),
];
I replaced domain name of the instance with <URL>
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 5 STAT [20919036ff] User '<userid>@<stage.some.domain> successfully authenticated from <IP>
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Deleting state: '_6458e8293e07f42ed8f0e91be24646d4494bbca3fa'
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: doLogin("ad-test")
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: Valid session found with 'ad-test'.
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: Valid session found with 'ad-test'.
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Filter config for urn:federation:<URL>:idp->urn:federation:MicrosoftOnline: array ( 0 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferred
Language', 'priority' => 30, )), 1 => SimpleSAML\Module\core\Auth\Process\StatisticsWithAttribute::__set_state(array( 'attribu
te' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'skipPassive' => false, 'priority' => 45, )), 2 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )), 3 => SimpleSAML\Module\core\Auth\Process\AttributeMap::__set_state(array( 'map' => array ( 'c' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country', 'givenName' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', 'mail' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', 'memberOf' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role', 'postalcode' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode', 'uid' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', 'sn' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', 'st' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince', 'streetaddress' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress', 'telephonenumber' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone', ), 'duplicate' => false, 'priority' => 100, )),)
I know this is most likely an issue with configuration on MS side and because I am getting this error from the SP:Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Deleting state: '_6458e8293e07f42ed8f0e91be24646d4494bbca3fa'
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: doLogin("ad-test")
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: Valid session found with 'ad-test'.
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Session: Valid session found with 'ad-test'.
Jan 7 15:12:33 gwdg-proxy-stage-1 simplesamlphp[35768]: 7 [20919036ff] Filter config for urn:federation:<URL>:idp->urn:federation:MicrosoftOnline: array ( 0 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferred
Language', 'priority' => 30, )), 1 => SimpleSAML\Module\core\Auth\Process\StatisticsWithAttribute::__set_state(array( 'attribu
te' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'skipPassive' => false, 'priority' => 45, )), 2 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )), 3 => SimpleSAML\Module\core\Auth\Process\AttributeMap::__set_state(array( 'map' => array ( 'c' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country', 'givenName' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', 'mail' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', 'memberOf' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role', 'postalcode' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode', 'uid' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', 'sn' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', 'st' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince', 'streetaddress' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress', 'telephonenumber' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone', ), 'duplicate' => false, 'priority' => 100, )),)
AADSTS50107: The requested federation realm object 'urn:federation:<URL>:idp' does not exist.
So the question is: Has anyone ever done this successfully and can give me some hints?
bro...@ics.muni.cz
Feb 20, 2020, 9:41:51 AM2/20/20
to SimpleSAMLphp
Hello foobarableful,
I have managed to use this module as an IdP talking to MS using WS-Federation (instead of SAML2, without involving ADFS).
The key was basically to set entityID correctly (in sync with settings in AD) and also to send correct user identifier (in my case obtained from AD using the addAttributeFromLdap filter).
If this is of any help, I can publish the key parts of my configuration.
Best regards
Pavel
Pavel
Dne středa 8. ledna 2020 11:49:55 UTC+1 foobarableful napsal(a):
Matthew Sewell
Mar 11, 2021, 10:19:20 AM3/11/21
to SimpleSAMLphp
Hi,
I know it's been a long time, but did you ever get this working?
I've been banging my head against a wall with it. I have it hooked up to an on premises AD, but am trying to move it to Azure AD and keep getting the same issue:
AADSTS50107: The requested federation realm object <URL> does not exist
Though I actually wonder if shifting to the WS-Fed route suggested by Pavel would be better as they have SAML and WS-Fed as their two protocols as external identity providers.
Best wsihes,
Matt
Tim van Dijen
Mar 11, 2021, 12:46:41 PM3/11/21
to SimpleSAMLphp
Hey Matthew,
I haven't used SimpleSAMLphp in this regard, but I have used SAML2 to succesfully use Azure.. The only limitation for this is that you are not able to use their 'hybrid join' mechanism.
All you need is a minimum of two attributes or claims, however you like to call it;
- IDPEmail filled with the subject's emailaddress
All you need is a minimum of two attributes or claims, however you like to call it;
- IDPEmail filled with the subject's emailaddress
- The NameID set to format=persistent and value the msdsconsistencyguid from AD
It was enough for me to be able to authenticate to portal.azure.com.....
- Tim
Op donderdag 11 maart 2021 om 16:19:20 UTC+1 schreef Matthew Sewell:
Peter Schober
Mar 11, 2021, 3:25:37 PM3/11/21
to SimpleSAMLphp
* Tim van Dijen <tvd...@gmail.com> [2021-03-11 18:46]:
(I wouldn't know but the above does not sound to me like that's
anwering the actual question at hand.)
-peter
> It was enough for me to be able to authenticate to portal.azure.com.....
Is that using SSP as an IDP for office.com, as asked in this thread?
(I wouldn't know but the above does not sound to me like that's
anwering the actual question at hand.)
-peter
Matthew Sewell
Mar 11, 2021, 8:57:07 PM3/11/21
to SimpleSAMLphp
Thanks both,
I'll try with the SAML settings instead of the adfs and see if I can get that working.
The frustrating thing is that everything looks right, but there's clearly something different with how AAD handles it to AD.
Reply all
Reply to author
Forward
0 new messages