Q: Office 365 via SAML/P
adam_j_bradley Feb 2, 2016 8:50 AMHas anyone has had any success with wiring up Office 365 via SAML/P? Somewhat amusingly the Azure SP is telling me that the WS-Federation message is invalid, even though the SAML/P Response seems reasonable, though it's doesn't entirely line up with what Shibboleth generates.
Thanks in advance!
Additional technical information: |
Correlation ID: 36f68e13-8037-45dc-ae3a-7a41e5d55d5c |
Timestamp: 2016-02-02 13:40:43Z |
AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid. |
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://login.microsoftonline.com/login.srf"
ID="ID_9e31432c-765d-4c4e-9676-3b7b4b5e55a3"
InResponseTo="_d8811c2a-f00c-4de7-b409-352d66acda3a"
IssueInstant="2016-02-02T13:40:41.575Z"
Version="2.0"
>
<saml:Issuer>https://keycloak-identityconcepts.rhcloud.com/auth/realms/Application</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_76d8cf47-a24d-41e8-ad0e-2874a090f84a"
IssueInstant="2016-02-02T13:40:41.481Z"
Version="2.0"
>
<saml:Issuer>https://keycloak-identityconcepts.rhcloud.com/auth/realms/Application</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_76d8cf47-a24d-41e8-ad0e-2874a090f84a">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>TUzNvxcDiphib9yo5CUamj4slUU=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>NvK11/KUGCKtYysSqKjJKO9iUyCj9MDpumS0gdbtupIXCBCU0z98uWmE3OkiF1/GBtQeycQezve0qaQ8z5NPd9Tpk/799zPJFyh5z3ADCp/tWMfLOQpR40Cz1LEo4CQCdy1U9Ynt8a+oKJl78lNYb33NcYODsuubhUlIxXegkVnEWikNnknSEZhS9yzr566zr77qgM/puJnA51I661zHHeiN8fT05T8UOgB/qG8oCLqDTlbddL90ua4O0OjeJ5BWTkpA9S1tNthbvraM+Tq3M5485bNk1GBTELOh+1ebK+a0eqzc/w18JFJORxlAcWg8wCevgmOJ0mHG+zYViFKi0g==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIICpTCCAY0CBgFSn/JkSTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtBcHBsaWNhdGlvbjAeFw0xNjAyMDIwMzA1MDhaFw0yNjAyMDIwMzA2NDhaMBYxFDASBgNVBAMMC0FwcGxpY2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArF6GzvrQPuJ0Of6aH+TFjZgl4Ak0PAbRqYvdNaO/A3Iu0UheYPkY3jAMU37w1nyal8MrFCpKfb+QqDndImqUi/Gb2cMTmwtmjS3Knk42wcSGH1fwGRvFufuoXr4heKTr5WcmujzhQjWsgGslTROW4ijBUVBfMoKchytA4/NRMO98npHZYSdP/afL4hnMf9V8fWm+sa9jYkdU95tCw3AUTYCOTY/UxVl7XEBfxEiXzN9I4SBIdtcwYzXyhxbiUXzGpZo4R9F9b+jy7g5J6wjfkTAtGCl2hf9fzxHpIbm3bCofgpxblEryeuUOq/i86vfuQj+iTsa7AEilMYzpHd5OgwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCF47ayAm3chCvo0lj6uVKknVvj7hmcJ7RsO9rZr3UXYoumDD2CuvxzvJNwClRrz1LWMjW+NLGJtSdmzeOTqJZ3xx0s/xFhk2xbA8xt5y2x+KfXMDr8r4J2KvMqwvmTB5KTbFv/XCKVhqZsCygCARI6mFomeiGq/bHNx/ekP2bQEDIta4Eh1AHfs06Lu4FKbn1SmPdfXj484LAl9O8Bt83+HU2bxleS+I5X9hzmPcxhapUG7GjXw4hebMbWitIispYUJOKZSfxJZCdgHDkT1HEFWx5pM9ZhNueyaOClijl5Nii3l6GmNogkyegjXzdu8E4pRyo96EiDJZXXyUUlQ3Mr</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>rF6GzvrQPuJ0Of6aH+TFjZgl4Ak0PAbRqYvdNaO/A3Iu0UheYPkY3jAMU37w1nyal8MrFCpKfb+QqDndImqUi/Gb2cMTmwtmjS3Knk42wcSGH1fwGRvFufuoXr4heKTr5WcmujzhQjWsgGslTROW4ijBUVBfMoKchytA4/NRMO98npHZYSdP/afL4hnMf9V8fWm+sa9jYkdU95tCw3AUTYCOTY/UxVl7XEBfxEiXzN9I4SBIdtcwYzXyhxbiUXzGpZo4R9F9b+jy7g5J6wjfkTAtGCl2hf9fzxHpIbm3bCofgpxblEryeuUOq/i86vfuQj+iTsa7AEilMYzpHd5Ogw==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-00236752-53e4-486f-b193-c6721e3b8a53</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_d8811c2a-f00c-4de7-b409-352d66acda3a"
NotOnOrAfter="2016-02-02T13:45:39.481Z"
Recipient="https://login.microsoftonline.com/login.srf"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-02-02T13:40:39.481Z"
NotOnOrAfter="2016-02-02T13:41:39.481Z"
>
<saml:AudienceRestriction>
<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-02-02T13:40:41.584Z"
SessionIndex="bb86ee3f-9baf-4cef-9762-f6b733b0ee60"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="ImmutableID"
NameFormat="urn:oasis:names:tc:SAML2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>cxcox5@gaidp2.adambradleyconsulting.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="IDPEmail"
NameFormat="urn:oasis:names:tc:SAML2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>cxcox5@gaidp2.adambradleyconsulting.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>