{"id":63,"date":"2013-05-10T12:37:27","date_gmt":"2013-05-10T12:37:27","guid":{"rendered":"http:\/\/blogs.kent.ac.uk\/unseenit\/?p=63"},"modified":"2013-05-10T12:37:27","modified_gmt":"2013-05-10T12:37:27","slug":"office-and-shibboleth-2","status":"publish","type":"post","link":"https:\/\/blogs.kent.ac.uk\/unseenit\/office-and-shibboleth-2\/","title":{"rendered":"Office365 & Shibboleth (2)"},"content":{"rendered":"

Something I forgot to mention in my earlier post<\/a> about getting Shibboleth working with Office365 was our need to tweak the config a bit beyond what the whitepaper instructs.<\/p>\n

I was having a problem whereby the IdP was refusing to write a SAML assertion, I think just over ECP, because the NameID format it was trying to generate (urn:oasis:names:tc:SAML:2.0:nameid-format:transient<\/code>) wasn’t supported. Annoyingly the Shibboleth logs from when I encountered the problem have cycled away so I can’t quote the exact error message.<\/p>\n

Either way, with a bit of digging, I discovered this page<\/a> (in Austrian\/German) which gave me enough of a hint to try editing my <RelyingParty> tag for MicrosoftOnline to include:<\/p>\n

nameIDFormatPrecedence=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\"<\/pre>\n
So my complete <RelyingParty> XML block is now:<\/p>\n
\r\n<!-- Microsoft Windows Azure AD -->\r\n<rp:RelyingParty id=\"urn:federation:MicrosoftOnline\"\r\n   provider=\"__ENTITYID__\"\r\n   defaultSigningCredentialRef=\"IdPCredential\"\r\n   nameIDFormatPrecedence=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\"\r\n   >\r\n   <rp:ProfileConfiguration xsi:type=\"saml:SAML2SSOProfile\"\r\n      signAssertions=\"conditional\"\r\n      encryptAssertions=\"never\"\r\n      encryptNameIds=\"never\" \/>\r\n   <rp:ProfileConfiguration xsi:type=\"saml:SAML2ECPProfile\" includeAttributeStatement=\"true\"\r\n      assertionLifetime=\"PT5M\" assertionProxyCount=\"0\"\r\n      signResponses=\"never\" signAssertions=\"always\"\r\n      encryptAssertions=\"never\" encryptNameIds=\"never\"\/>\r\n<\/rp:RelyingParty>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Something I forgot to mention in my earlier post about getting Shibboleth working with Office365 was our need to tweak the config a bit beyond … Read more<\/a><\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/63"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":10,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":73,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/63\/revisions\/73"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}