Configuring SimpleSamlPHP as IdP for Azure AD/Office365
621 views
Skip to first unread message
Erik
Apr 11, 2016, 5:12:12 AM4/11/16
to SimpleSAMLphp
Hi,
i am currently trying to setup SimpleSamlPHP as an identity provider for Office365. I am following the description [1]
After logging in at the IdP and beeing redirected to https://login.microsoftonline.com/login.srf the login fails there with error 80047899.
I could not find documentation about that error and how to fix it.
I did the following steps to setup single-sign-on:
* Setup and verified an additional external domain for my Azure AD
* Created users in my Azure AD, which use the external domain for login
* Uploaded my SimpleSamlPHP IdP metadata for the external domain by using the Set-MsolDomainAuthentication cmdlet
The following then works: When logging into https://portal.office.com with my Azure domain user <username>@<domain> the login page correctly redirects the browser to my IdP. After authenticating there, i get redirected, but the login fails at https://login.microsoftonline.com/login.srf, as mentioned, with error 80047899.
I confirmed that the SAML Assertion sent contains the ImmutableID as the NameID, and the IDPEmail attribute contains <username>@<domain>, that has just logged
in.
My question:
* Does someone have detailed setup instructions for SimpleSamlPHP as an IdP to work with Azure AD/Office365? I am interested in the saml20-sp-remote.php and saml20-idp-hosted.php configuration files and options therein
Peter Schober
Apr 11, 2016, 7:18:54 AM4/11/16
to SimpleSAMLphp
* Erik <damrose.eri...@gmail.com> [2016-04-11 11:12]:
Without knowing what's wrong you can only guess and do time-consuming
trial-and-error interations.
> I confirmed that the SAML Assertion sent contains the ImmutableID as
> the NameID, and the IDPEmail attribute contains <username>@<domain>,
> that has just logged in.
What nameid-format does your NameID have? AFAIK that vendor only
supports persistent (even if the value you're required to send is NOT
a persistent NameID as per the SAML specification, i.e., they require
you to violate the spec.)
-peter
> After logging in at the IdP and beeing redirected to
> https://login.microsoftonline.com/login.srf the login fails there with
> error 80047899.
>
> I could not find documentation about that error and how to fix it.
Did you ask the vendor what that error code means?
> https://login.microsoftonline.com/login.srf the login fails there with
> error 80047899.
>
> I could not find documentation about that error and how to fix it.
Without knowing what's wrong you can only guess and do time-consuming
trial-and-error interations.
> I confirmed that the SAML Assertion sent contains the ImmutableID as
> the NameID, and the IDPEmail attribute contains <username>@<domain>,
> that has just logged in.
supports persistent (even if the value you're required to send is NOT
a persistent NameID as per the SAML specification, i.e., they require
you to violate the spec.)
-peter
Reply all
Reply to author
Forward
0 new messages