Page tree
Skip to end of metadata
Go to start of metadata
  1. Configure your IdP to load the Azure metadata. Further information on loading metadata can be found here.

  2. Configure your IdP to respond to ECP profile requests.  More information can be found here

  3. Add relying party specific configuration.  Azure requires that encryption be turned off and that only assertions be signed.  It will also be necessary to set a name identifier precedence so that the ECP endpoint responds with a format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".  The following bean definition can be used verbatim in your configuration.

     

    Excerpt: relying-party.xml
            <bean parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline">
                <property name="profileConfigurations">
                    <list>
                        <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" />
                        <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                    </list>
                </property>
            </bean>
  4. Configure the necessary attribute definitions and filter policy.  Only one SAML attribute, entitled "IDPEmail," should be sent.  Another attribute definition is typically required in order to send the Azure ImmutableID in the SAML Subject.  The ImmutableID attribute is site dependent, but most frequently maps to the "objectGuid" in Active Directory.  The following configuration examples are for reference only and must be modified as appropriate to your environment.

     

    Excerpt: attribute-resolver.xml
      <!-- Needed Office365 Integration. Used for NameID value. (No encoder necessary) -->
      <resolver:AttributeDefinition id="uMemphisAdObjectGuid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uMemphisAdObjectGuid">
        <resolver:Dependency ref="directory" />
      </resolver:AttributeDefinition>
    
      <!-- UserPrincipalName for Office365. -->
      <resolver:AttributeDefinition id="UserId" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="testssotenant.memphis.edu"  sourceAttributeID="uid">
          <resolver:Dependency ref="directory" />
          <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="IDPEmail" />
      </resolver:AttributeDefinition>
    Excerpt: attribute-filter.xml
      <afp:AttributeFilterPolicy id="azureAD">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:federation:MicrosoftOnline"/>
        <afp:AttributeRule attributeID="UserId">
          <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uMemphisAdObjectGuid">
          <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
      </afp:AttributeFilterPolicy>
  5. Since Azure requires use of a proprietary identifier in conjunction with the standard NameID format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent," you will need to create activation conditions to send that value to Azure only. The following configuration example is for reference purposes and must be modified as appropriate to your environment.

Excerpt: saml-nameid.xml
    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />

        <!-- Persistent ID Generator for all entities except Microsoft -->
        <bean parent="shibboleth.SAML2PersistentGenerator">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.NOT">
                    <constructor-arg>
                        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
                    </constructor-arg>
                </bean>
            </property>
        </bean>

        <!-- Microsoft requires a custom Persistent ID Generator that sends the AD GUID -->
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                  p:attributeSourceIds="#{ {'uMemphisAdObjectGuid'} }">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
            </property>
        </bean>
    </util:list>
  • No labels

1 Comment

  1. Microsoft provides on GitHub documentation on how to use Azure Active Directory Single Sign-On with Shibboleth IdPv3: