Add relying party specific configuration. Azure requires that encryption be turned off and that only assertions be signed. It will also be necessary to set a name identifier precedence so that the ECP endpoint responds with a format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". The following bean definition can be used verbatim in your configuration.
<bean parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" /> <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </list> </property> </bean> |
Configure the necessary attribute definitions and filter policy. Only one SAML attribute, entitled "IDPEmail," should be sent. Another attribute definition is typically required in order to send the Azure ImmutableID in the SAML Subject. The ImmutableID attribute is site dependent, but most frequently maps to the "objectGuid" in Active Directory. The following configuration examples are for reference only and must be modified as appropriate to your environment.
<!-- Needed Office365 Integration. Used for NameID value. (No encoder necessary) --> <resolver:AttributeDefinition id="uMemphisAdObjectGuid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uMemphisAdObjectGuid"> <resolver:Dependency ref="directory" /> </resolver:AttributeDefinition> <!-- UserPrincipalName for Office365. --> <resolver:AttributeDefinition id="UserId" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="testssotenant.memphis.edu" sourceAttributeID="uid"> <resolver:Dependency ref="directory" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="IDPEmail" /> </resolver:AttributeDefinition> |
<afp:AttributeFilterPolicy id="azureAD"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:federation:MicrosoftOnline"/> <afp:AttributeRule attributeID="UserId"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="uMemphisAdObjectGuid"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
<!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Persistent ID Generator for all entities except Microsoft --> <bean parent="shibboleth.SAML2PersistentGenerator"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </constructor-arg> </bean> </property> </bean> <!-- Microsoft requires a custom Persistent ID Generator that sends the AD GUID --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" p:attributeSourceIds="#{ {'uMemphisAdObjectGuid'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'urn:federation:MicrosoftOnline'}}" /> </property> </bean> </util:list> |