cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Office 365 Single sign On

scl-family_1
Copper Contributor

‎Nov 27 2018 01:12 AM - edited ‎Nov 27 2018 01:29 AM

‎Nov 27 2018 01:12 AM - edited ‎Nov 27 2018 01:29 AM

Office 365 Single sign On

I want to integrate single sign on(SSO) with Office 365.I am using third party IDP GLUU. and Sync Adfs with with office365 admin pannel. When i entered email in office365 login then it is correctly redirected to gluu SignIn page then I entered username and password and got error "InvalidNameIDPolicy".
 
Please find  saml request- response:-
 
SAML Request:
<samlp:AuthnRequest ID="_099e3e23-d100-4c9b-afb1-29d7ee1e2019"
                    Version="2.0"
                    IssueInstant="2018-11-22T08:32:34.061Z"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>
 
 
SAML Response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://login.microsoftonline.com/login.srf"
                 ID="_164f7c5ac5cf38223372c1bd44ce603f"
                 InResponseTo="_5e69eec0-50a8-474c-adac-b56b76c7856e"
                 IssueInstant="2018-11-22T05:11:17.888Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cashnow.co.in/idp/shibboleth</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></saml2p:StatusCode>
    <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
  </saml2p:Status>
</saml2p:Response>
 
 
I know error is  "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy".
 So just want to know this error comes from ADFS side or IDP side?
 If this error comes from ADFS side then how to resolve this issue?
 
 
 
 
 
 
 
 
Labels:
2,134 Views
0 Likes
2 Replies
Reply
2 Replies
Adam Ochs

‎Nov 27 2018 07:26 AM

‎Nov 27 2018 07:26 AM

Re: Office 365 Single sign On

Hey @scl-family_1,

 

It looks to me like the email address is not getting mapped properly to the username or "nameID" inside of your SAML application. Essentially something else is being tested against Office 365 from the IDP.

 

To fix this, I would look at creating a claims rule inside of ADFS to change the nameID to the email address for your users.

 

This article walks through the process of creating that claim.

https://help.screensteps.com/m/remote_authentication/l/841006-troubleshooting-saml-for-adfs

 

Once that is in place, I would expect you to resolve the error you are seeing.

 

Adam

0 Likes
Reply
scl-family_1

‎Nov 27 2018 10:32 PM

‎Nov 27 2018 10:32 PM

Re: Office 365 Single sign On

Dear Adam,
I have tried your suggestion but same result and error.
I am using Gluu Idp.Please find doc for Integration Office365 in Gluu.
https://gluu.org/docs/ce/3.1.3/integration/saas/office/

IDP requires three attributes IDPEmail, ImmutableID and objectguid
you can find in doc that IDP requires nameID 'ImmutableID' .This is a 'persistent' type nameID; base attribute 'objectguid'
0 Likes
Reply