Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

  1. Configure your IdP to use the Azure metadata to. Further information on loading metadata can be found here.

 

--ECP

--JAAS

 

<!-- Office365 cannot handle encrypted assertions and requires isnging of assertions vs. responses -->

 

Excerpt: relying-party.xml
        <bean parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" />
                    <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                </list>
            </property>
        </bean>
Excerpt: attribute-resolver.xml
  <!-- Needed Office365 Integration. Used for NameID value. (No encoder necessary)-->
  <resolver:AttributeDefinition id="uMemphisAdObjectGuid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uMemphisAdObjectGuid">
    <resolver:Dependency ref="directory" />
  </resolver:AttributeDefinition>

  <!-- UserPrincipalName for Office365. -->
  <resolver:AttributeDefinition id="UserId" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="ssotenant.memphis.edu"  sourceAttributeID="uid">
      <resolver:Dependency ref="directory" />
      <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="IDPEmail" />
  </resolver:AttributeDefinition>
Excerpt: attribute-filter.xml
  <afp:AttributeFilterPolicy id="azureAD">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:federation:MicrosoftOnline"/>
    <afp:AttributeRule attributeID="UserId">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
    <afp:AttributeRule attributeID="uMemphisAdObjectGuid">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
  </afp:AttributeFilterPolicy>
Excerpt: saml-nameid.xml
    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />

        <!-- Persistent ID Generator for all entities except Micro$oft -->
        <bean parent="shibboleth.SAML2PersistentGenerator">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.NOT">
                    <constructor-arg>
                        <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
                    </constructor-arg>
                </bean>
            </property>
        </bean>

        <!-- Microsoft requires a custom Persistent ID Generator that sends the AD GUID -->
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                  p:attributeSourceIds="#{ {'uMemphisAdObjectGuid'} }">
            <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" />
            </property>
        </bean>
    </util:list>
  • No labels