- Configure your IdP to use the Azure metadata to. Further information on loading metadata can be found here.
--ECP
--JAAS
<!-- Office365 cannot handle encrypted assertions and requires isnging of assertions vs. responses -->
Excerpt: relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" /> <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </list> </property> </bean>
Excerpt: attribute-resolver.xml
<!-- Needed Office365 Integration. Used for NameID value. (No encoder necessary)--> <resolver:AttributeDefinition id="uMemphisAdObjectGuid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uMemphisAdObjectGuid"> <resolver:Dependency ref="directory" /> </resolver:AttributeDefinition> <!-- UserPrincipalName for Office365. --> <resolver:AttributeDefinition id="UserId" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="ssotenant.memphis.edu" sourceAttributeID="uid"> <resolver:Dependency ref="directory" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="IDPEmail" /> </resolver:AttributeDefinition>
Excerpt: attribute-filter.xml
<afp:AttributeFilterPolicy id="azureAD"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:federation:MicrosoftOnline"/> <afp:AttributeRule attributeID="UserId"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="uMemphisAdObjectGuid"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Excerpt: saml-nameid.xml
<!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Persistent ID Generator for all entities except Micro$oft --> <bean parent="shibboleth.SAML2PersistentGenerator"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </constructor-arg> </bean> </property> </bean> <!-- Microsoft requires a custom Persistent ID Generator that sends the AD GUID --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" p:attributeSourceIds="#{ {'uMemphisAdObjectGuid'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </property> </bean> </util:list>