1 Reply Latest reply on Mar 16, 2016 12:27 PM by Tiffany Williams

    Q: Office 365 via SAML/P

    Adam Bradley Newbie

      Has anyone has had any success with wiring up Office 365 via SAML/P? Somewhat amusingly the Azure SP is telling me that the WS-Federation message is invalid, even though the SAML/P Response seems reasonable, though it's doesn't entirely line up with what Shibboleth generates.

       

      Thanks in advance!

       

       

       

       

       

       

       

       

       

      Additional technical information:

      Correlation ID: 36f68e13-8037-45dc-ae3a-7a41e5d55d5c
      Timestamp: 2016-02-02 13:40:43Z
      AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.

       

       

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

        Destination="https://login.microsoftonline.com/login.srf"

        ID="ID_9e31432c-765d-4c4e-9676-3b7b4b5e55a3"

        InResponseTo="_d8811c2a-f00c-4de7-b409-352d66acda3a"

        IssueInstant="2016-02-02T13:40:41.575Z"

        Version="2.0"

        >

        <saml:Issuer>https://keycloak-identityconcepts.rhcloud.com/auth/realms/Application</saml:Issuer>

        <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

        </samlp:Status>

        <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

        ID="ID_76d8cf47-a24d-41e8-ad0e-2874a090f84a"

        IssueInstant="2016-02-02T13:40:41.481Z"

        Version="2.0"

        >

        <saml:Issuer>https://keycloak-identityconcepts.rhcloud.com/auth/realms/Application</saml:Issuer>

        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

        <dsig:SignedInfo>

        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <dsig:Reference URI="#ID_76d8cf47-a24d-41e8-ad0e-2874a090f84a">

        <dsig:Transforms>

        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        </dsig:Transforms>

        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

        <dsig:DigestValue>TUzNvxcDiphib9yo5CUamj4slUU=</dsig:DigestValue>

        </dsig:Reference>

        </dsig:SignedInfo>

        <dsig:SignatureValue>NvK11/KUGCKtYysSqKjJKO9iUyCj9MDpumS0gdbtupIXCBCU0z98uWmE3OkiF1/GBtQeycQezve0qaQ8z5NPd9Tpk/799zPJFyh5z3ADCp/tWMfLOQpR40Cz1LEo4CQCdy1U9Ynt8a+oKJl78lNYb33NcYODsuubhUlIxXegkVnEWikNnknSEZhS9yzr566zr77qgM/puJnA51I661zHHeiN8fT05T8UOgB/qG8oCLqDTlbddL90ua4O0OjeJ5BWTkpA9S1tNthbvraM+Tq3M5485bNk1GBTELOh+1ebK+a0eqzc/w18JFJORxlAcWg8wCevgmOJ0mHG+zYViFKi0g==</dsig:SignatureValue>

        <dsig:KeyInfo>

        <dsig:X509Data>

        <dsig:X509Certificate>MIICpTCCAY0CBgFSn/JkSTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtBcHBsaWNhdGlvbjAeFw0xNjAyMDIwMzA1MDhaFw0yNjAyMDIwMzA2NDhaMBYxFDASBgNVBAMMC0FwcGxpY2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArF6GzvrQPuJ0Of6aH+TFjZgl4Ak0PAbRqYvdNaO/A3Iu0UheYPkY3jAMU37w1nyal8MrFCpKfb+QqDndImqUi/Gb2cMTmwtmjS3Knk42wcSGH1fwGRvFufuoXr4heKTr5WcmujzhQjWsgGslTROW4ijBUVBfMoKchytA4/NRMO98npHZYSdP/afL4hnMf9V8fWm+sa9jYkdU95tCw3AUTYCOTY/UxVl7XEBfxEiXzN9I4SBIdtcwYzXyhxbiUXzGpZo4R9F9b+jy7g5J6wjfkTAtGCl2hf9fzxHpIbm3bCofgpxblEryeuUOq/i86vfuQj+iTsa7AEilMYzpHd5OgwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCF47ayAm3chCvo0lj6uVKknVvj7hmcJ7RsO9rZr3UXYoumDD2CuvxzvJNwClRrz1LWMjW+NLGJtSdmzeOTqJZ3xx0s/xFhk2xbA8xt5y2x+KfXMDr8r4J2KvMqwvmTB5KTbFv/XCKVhqZsCygCARI6mFomeiGq/bHNx/ekP2bQEDIta4Eh1AHfs06Lu4FKbn1SmPdfXj484LAl9O8Bt83+HU2bxleS+I5X9hzmPcxhapUG7GjXw4hebMbWitIispYUJOKZSfxJZCdgHDkT1HEFWx5pM9ZhNueyaOClijl5Nii3l6GmNogkyegjXzdu8E4pRyo96EiDJZXXyUUlQ3Mr</dsig:X509Certificate>

        </dsig:X509Data>

        <dsig:KeyValue>

        <dsig:RSAKeyValue>

        <dsig:Modulus>rF6GzvrQPuJ0Of6aH+TFjZgl4Ak0PAbRqYvdNaO/A3Iu0UheYPkY3jAMU37w1nyal8MrFCpKfb+QqDndImqUi/Gb2cMTmwtmjS3Knk42wcSGH1fwGRvFufuoXr4heKTr5WcmujzhQjWsgGslTROW4ijBUVBfMoKchytA4/NRMO98npHZYSdP/afL4hnMf9V8fWm+sa9jYkdU95tCw3AUTYCOTY/UxVl7XEBfxEiXzN9I4SBIdtcwYzXyhxbiUXzGpZo4R9F9b+jy7g5J6wjfkTAtGCl2hf9fzxHpIbm3bCofgpxblEryeuUOq/i86vfuQj+iTsa7AEilMYzpHd5Ogw==</dsig:Modulus>

        <dsig:Exponent>AQAB</dsig:Exponent>

        </dsig:RSAKeyValue>

        </dsig:KeyValue>

        </dsig:KeyInfo>

        </dsig:Signature>

        <saml:Subject>

        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-00236752-53e4-486f-b193-c6721e3b8a53</saml:NameID>

        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <saml:SubjectConfirmationData InResponseTo="_d8811c2a-f00c-4de7-b409-352d66acda3a"

        NotOnOrAfter="2016-02-02T13:45:39.481Z"

        Recipient="https://login.microsoftonline.com/login.srf"

        />

        </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2016-02-02T13:40:39.481Z"

        NotOnOrAfter="2016-02-02T13:41:39.481Z"

        >

        <saml:AudienceRestriction>

        <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>

        </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2016-02-02T13:40:41.584Z"

        SessionIndex="bb86ee3f-9baf-4cef-9762-f6b733b0ee60"

        >

        <saml:AuthnContext>

        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>

        </saml:AuthnContext>

        </saml:AuthnStatement>

        <saml:AttributeStatement>

        <saml:Attribute Name="ImmutableID"

        NameFormat="urn:oasis:names:tc:SAML2.0:attrname-format:unspecified"

        >

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        xsi:type="xs:string"

        >cxcox5@gaidp2.adambradleyconsulting.com</saml:AttributeValue>

        </saml:Attribute>

        <saml:Attribute Name="IDPEmail"

        NameFormat="urn:oasis:names:tc:SAML2.0:attrname-format:unspecified"

        >

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        xsi:type="xs:string"

        >cxcox5@gaidp2.adambradleyconsulting.com</saml:AttributeValue>

        </saml:Attribute>

        </saml:AttributeStatement>

        </saml:Assertion>

      </samlp:Response>