We have followed the manual for 'Configuring SSO for Office 365
Services' (http://tinyurl.com/mnk8vb7) but are unable to authenticate.

We have made some changes to the WS-Trust and WS-Federation settings,
like the attributes to read out for the ImmutableID and UPN. Some fields
in the configuration are replaced like the baseurl of the idp.

The Users in Office 365 are created using the Dirsync tool so the
ImmutableID and the UPN are from AD. These Values are synced from AD to
Edir using IDM.

The Configuration is as Following:
*WS Federation*:

Service Providers:
Name: O365
Attributes:
Ldap Attribute: DirXML-ADGUID
Ldap Attribute: DirXML-O365UPN
Authentication Response:
Unspecified: Ldap AttributeirXML-ADGUID

*WS-Trust*:

Service Providers:
Name: O365
Selected operations:
Issue
Validate
Service Providers:
Name: O365
EndPoint: urn:federation:MicrosoftOnline
Token Type: SAML1

Attributes:
Ldap Attribute: DirXML-ADGUID
Ldap Attribute: DirXML-O365UPN
Authentication Response:
Unspecified Ldap Attribute: DirXML-ADGUID

STS Configuration:
Token Issuer: https://namtest.com/nidp/wstrust/sts

Endpoint Summary:
STS Service Details

Code:
--------------------
Service Name: {http://www.netiq.com/nam-4-0/wstrust}SecurityTokenService
Port Name: {http://www.netiq.com/nam-4-0/wstrust}STS_Port
MEX EndPoint URI: https://namtest.com/nidp/wstrust/sts/mex
WSDL Of STS Username authentication: https://namtest.com/nidp/wstrust/sts?wsdl
WSDL Of STS SAML authentication: https://namtest.com/nidp/wstrust/sts/saml?wsdl
--------------------


The Attributes Sets are configured as following:

Code:
--------------------
Ldap AttributeirXML-ADGUID [LDAP Attribute Profile] <--> ImmutableID [http://schemas.microsoft.com/LiveID/Federation/2008/05]
Ldap AttributeirXML-O365UPN [LDAP Attribute Profile] <--> UPN [http://schemas.xmlsoap.org/claims]
--------------------


The MsolDomainFederationSettings are as following:

Code:
--------------------
Domain: : namtest.com
ActiveLogOnUri : https://namtest.com/nidp/wstrust/sts/active12
FederationBrandName : Namtest
IssuerUri : https://namtest.com/nidp/wsfed/
LogOffUri : https://namtest.com/nidp/jsp/o365wsfedlogout.jsp
MetadataExchangeUri : https://namtest.com/nidp/wstrust/sts/mex
PassiveLogOnUri : https://namtest.com/nidp/wsfed/ep?id=O365
PreferredAuthenticationProtocol : WsFed
--------------------


When i trace the the authentication to the login.microsoftonline.com it
looks like this:

Code:
--------------------
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestedSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<saml:Assertion xmlns:saml="urnasis:names:tc:SAML:1.0:assertion" AssertionID="idwprQgPuci8W4Xkq2C4jrtseG1U8" IssueInstant="2014-11-11T08:00:09Z" Issuer="https://namtest.com/nidp/wsfed/" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2014-11-11T07:45:09Z" NotOnOrAfter="2014-11-11T08:15:09Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2014-11-11T08:00:09Z" AuthenticationMethod="0365/contract">
<saml:Subject>
<saml:NameIdentifier Format="urnasis:names:tc:SAML:1.1:nameid-format:unspecified">lcVOS89OPUm7k7qfZauFNw==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urnasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urnasis:names:tc:SAML:1.1:nameid-format:unspecified">lcVOS89OPUm7k7qfZauFNw==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urnasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
<saml:AttributeValue>lcVOS89OPUm7k7qfZauFNw==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>wouter.valk@namtest.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#idwprQgPuci8W4Xkq2C4jrtseG1U8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<dsigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">m0wo8JieJ9iK3frnA77qoUF71Dw=</DigestValue>
</ds:Reference>
</ds:SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">
2557JN5WhflwC49zjiiv5nwsWD0am20Pson5pqeXtsE01QYJ6Z ehqVYZ1fHQuo2qs516o51CWsSY
n54XvatadBisV1TzKkudZCwGI1l24PvizgDSDZwTrnAVItH34n TqJurzDdquEh/IgEDdS8Gi0e23
oqyOgxZtHu66T pDdugXAU9P1fpIAOLORSE3vB2U2d0H9iPfDBUODkOUCWb3uLLl QpDeoP/A9g9S
9h 2iS6lMzGTfrduFoT7Ga AJlYQsxCuFd91QjkqGP3uiHpD9b5yqe5ICxDHYA2TlmVc6NCx5 Rx6
nmvh2NDBRvAjU47Bbw8IyY9rd7hGPg9o11Gbbg==
</SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<!-- Removed -->
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
--------------------


When i get the information of the user it all matches

Code:
--------------------
PS C:\Windows\system32> get-msoluser -UserPrincipalName wvalk@namtest.com | fl *

DisplayName : Wouter Valk
Errors :
Fax :
FirstName : Wouter
ImmutableId : lcVOS89OPUm7k7qfZauFNw==
IsBlackberryUser : False
IsLicensed : True
LastDirSyncTime : 5-11-2014 15:54:38
LastName : Valk
LastPasswordChangeTimestamp : 5-11-2014 15:46:14
LicenseReconciliationNeeded : False
Licenses : {wvalk:ENTERPRISEPACK}
ObjectId : 5ccd40b5-da72-42f2-afca-223979133432
OverallProvisioningStatus : PendingInput
UserPrincipalName : wvalk@namtest.com
UserType : Member
ValidationStatus : Healthy

--------------------


My biggest wories are that the metadata url is not the right url, or the
response is not ok. When i go to the url i get a formated html page like
this and the ports inside this metadata does not match with the baseurl:

Code:
--------------------
<html>
<head><title>
Web Services
</title></head>
<body>
<h1>Web Services</h1>
<table width='100%' border='1'>
<tr>
<td>
Endpoint
</td>
<td>
Information
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td></td></tr><tr><td>Port Name:</td><td></td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://namtest:8443/nidp/wstrust/sts/mex</td></tr><tr><td>WSDL:</td><td><a href="https://namtest:8443/nidp/wstrust/sts/mex?wsdl">https://namtest:8443/nidp/wstrust/sts/mex?wsdl</a></td></tr><tr><td>Implementation class:</td><td>com.sun.xml.ws.mex.server.MEXEndpoint</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust}STS_Port</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://namtest:8443/nidp/wstrust/sts</td></tr><tr><td>WSDL:</td><td><a href="https://namtest:8443/nidp/wstrust/sts?wsdl">https://namtest:8443/nidp/wstrust/sts?wsdl</a></td></tr><tr><td>Implementation class:</td><td>com.novell.nidp.wstrust.service.CustomSTS</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/saml}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/saml}STS_Port_saml</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://namtest:8443/nidp/wstrust/sts/saml</td></tr><tr><td>WSDL:</td><td><a href="https://namtest:8443/nidp/wstrust/sts/saml?wsdl">https://namtest:8443/nidp/wstrust/sts/saml?wsdl</a></td></tr><tr><td>Implementation class:</td><td>com.novell.nidp.wstrust.service.CustomSamlS TS</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/active12}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/active12}STS_Port_active12</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://namtest:8443/nidp/wstrust/sts/active12</td></tr><tr><td>WSDL:</td><td><a href="https://namtest:8443/nidp/wstrust/sts/active12?wsdl">https://namtest:8443/nidp/wstrust/sts/active12?wsdl</a></td></tr><tr><td>Implementation class:</td><td>com.novell.nidp.wstrust.service.CustomActiv e12STS</td></tr></table>
</td>
</tr>
</table>
</body>
</html>
--------------------


--
wvalk
------------------------------------------------------------------------
wvalk's Profile: https://forums.netiq.com/member.php?userid=6753
View this thread: https://forums.netiq.com/showthread.php?t=52157