Forum Discussion

scl-family_1's avatar
scl-family_1
Copper Contributor
Nov 27, 2018

Office 365 Single sign On

I want to integrate single sign on(SSO) with Office 365.I am using third party IDP GLUU. and Sync Adfs with with office365 admin pannel. When i entered email in office365 login then it is correctly redirected to gluu SignIn page then I entered username and password and got error "InvalidNameIDPolicy".
 
Please find  saml request- response:-
 
SAML Request:
<samlp:AuthnRequest ID="_099e3e23-d100-4c9b-afb1-29d7ee1e2019"
                    Version="2.0"
                    IssueInstant="2018-11-22T08:32:34.061Z"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>
 
 
SAML Response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://login.microsoftonline.com/login.srf"
                 ID="_164f7c5ac5cf38223372c1bd44ce603f"
                 InResponseTo="_5e69eec0-50a8-474c-adac-b56b76c7856e"
                 IssueInstant="2018-11-22T05:11:17.888Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cashnow.co.in/idp/shibboleth</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></saml2p:StatusCode>
    <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
  </saml2p:Status>
</saml2p:Response>
 
 
I know error is  "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy".
 So just want to know this error comes from ADFS side or IDP side?
 If this error comes from ADFS side then how to resolve this issue?
 
 
 
 
 
 
 
 
  • Adam Ochs's avatar
    Adam Ochs
    Steel Contributor

    Hey scl-family_1,

     

    It looks to me like the email address is not getting mapped properly to the username or "nameID" inside of your SAML application. Essentially something else is being tested against Office 365 from the IDP.

     

    To fix this, I would look at creating a claims rule inside of ADFS to change the nameID to the email address for your users.

     

    This article walks through the process of creating that claim.

    https://help.screensteps.com/m/remote_authentication/l/841006-troubleshooting-saml-for-adfs

     

    Once that is in place, I would expect you to resolve the error you are seeing.

     

    Adam

    • scl-family_1's avatar
      scl-family_1
      Copper Contributor
      Dear Adam,
      I have tried your suggestion but same result and error.
      I am using Gluu Idp.Please find doc for Integration Office365 in Gluu.
      https://gluu.org/docs/ce/3.1.3/integration/saas/office/

      IDP requires three attributes IDPEmail, ImmutableID and objectguid
      you can find in doc that IDP requires nameID 'ImmutableID' .This is a 'persistent' type nameID; base attribute 'objectguid'

Resources