Integrating Office 365 with OIF/IdP

This is a continuation of my previous article where I will configure OIF (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

Be sure to have read the article about pre-requisites.

The integration will cover:

  • Browser Federation SSO integration: this is the flow the user will exercise when accessing the www.office365.com resources via a browser:
    • The www.office365.com will prompt the user to enter its email address
    • The server will detect that Federation SSO should be used for that domain and will start a Federation SSO flow the OIF/IdP
    • OIF/IdP will challenge the user, create a SAML Assertion and redirect the user to www.office365.com
    • www.office365.com will grant access to the user
  • ActiveSync mail integration: in this flow, the user will use a mail application configured for Office 365
    • When the mail application is started, it will send the user’s credentials (email address and IdP password) to Office 365
    • www.office365.com will make a direct connection over SSL to the IdP and will use the SAML 2.0 ECP protocol to send a SAML AuthnRequest and the user’s credentials via HTTP Basic Authentication
    • The OIF/IdP will validate those credentials and return a SAML Assertion via the ECP protocol
    • Office 365 will grant access to the mail application

It is important to note that integration with Office 365 for non SAML 2.0 components will not work, such as:

  • Lync clients
  • OWA Mobile Apps

This article is based on:

  • The testing performed by Thomas Guo from Oracle and myself
  • The Microsoft article regarding SAML 2.0 support for Office 365 and more specifically the technical document listing steps required to configure Office 365 (user management and Federation trust establishment):
  • Microsoft Blog
  • Technical document describing how to configure Office 365

Testing Environment


For this test integration, I will use the following approach:

  • User alice at OAM/OIF:
    • Username (uid attribute): alice.appleton
    • Email address (mail attribute): alice.appleton@acme.com
    • First name (givenname attribute): Alice
    • Last name (sn attribute): Appleton
  • User alice at Office 365 (see the Microsoft technical document on more information on how to create a user in Azure AD):
    • UserPrincipalName: alice.appleton@acme.com
    • ImmutableId: alice.appleton
    • DisplayName: Alice Appleton
    • FirstName: Alice
    • LastName: Appleton
    • UsageLocation: US
  • Federation agreement:
    • SAML 2.0 NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • LDAP attribute used to populate SAML 2.0 NameID value: uid (because the NameID must match the ImmutableId)
    • SAML Attribute contained in the SAML Assertion
      • Name: IDPEmail
      • LDAP Attribute used to populate this attribute value: mail (because the attribute value must match the UserPrincipalName)
  • Office 365 specifics:
    • The domain name will be acme.com
    • The protocol used will be SAMLP
    • ActiveSync mail application will be supported OIF Configuration

Setting up Office 365 as an SP in OIF/IdP will consist in:

  • Creating an SP Attribute Profile in order to send the IDPEmail attribute containing the mail attribute
  • Creating an SP partner for Office 365 and bind it to the new SP Attribute Profile
  • Updating the Office 365 SP Partner configuration for
    • SHA-1 hashing algorithm in signatures
    • Inclusion of OIF’s signing certificate in outgoing SAML messages
    • HTTP Basic Auth for ActiveSync mail integration

Office 365 Configuration


Please refer to the following Microsoft information when reading this section:

Windows Powershell

Ensure that the Windows Powershell tools are installed on the computer from which you will connect to Office 365 for administration purposes.

Provisioning OIF/IdP as a Partner in Office 365

Top create OIF as an IdP partner for the acme.com domain in Office 365, perform the following steps:

  • Connect to Office 365 as the administrator for acme.com
    Connect-MsolService
  • Set the following environment variables (the data used is the one retrieved from the pre-requisites section; note that the string for $idpSigningCert is on the same line as the $idpSigningCert =, and that it is a single line):
    • $domainName = "acme.com"
    • $BrandName - "ACME IdP"
    • $browserSSOLoginURL = "https://acme.com/oamfed/idp/samlv20"
    • $ecpSSOURL = "https://acme.com/oamfed/idp/soap"
    • $logoutURL = "https://acme.com/oamfed/idp/samlv20"
    • $issuerProviderID = "https://acme.com/oam/fed"
    • $idpSigningCert = "MIIB+DCCAWGgAwIBAgIBCjANB......oInVUbGTBDMfqmW5iZ/wjpzItg=="
    • $ssoProtocol = "SAMLP"
  • Execute the following command using the above variables:
    Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -ActiveLogOnUri $ecpSSOURL -SigningCertificate $idpSigningCert -IssuerUri $issuerProviderID -LogOffUri $logoutURL -PreferredAuthenticationProtocol $ssoProtocol

OIF Configuration


SP Attribute Profile

To create a new SP Attribute Profile that will be set up to send the SAML IDPEmail Attribute containing the user’s UPN value, perform the following operations:

Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole

  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the “Service Provider Attribute Profiles” tab
  • Click on the “Create SP Attribute Profile” button
  • Enter a name for the new profile (for example Office365-attr-profile)
  • In the Attribute Mapping section, click Add
  • Enter the following information:
    • Message Attribute Name: IDPEmail
    • Value: enter the LDAP user attribute containing the user’s UPN in the directory used by OAM (in this example: user -> attr -> mail)
    • Always send: checked
    • Click OK

The Attribute Profile will be shown:

  • Click Save

Office 365 SP Partner

To add Office 365 as an SP partner in OIF, execute the following steps:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the “Create Service Provider Partner” button
  • In the Create screen:
    • Enter a name for the partner (for example Office365)
    • Select SAML 2.0 as the Protocol
    • Click Load Metadata and upload the SAML 2.0 Metadata file for the Office 365
    • Select Persistent as the NameID format
    • Enter the LDAP user attribute that contains the user’s ImmutableId value (in this example, uid)
    • Select the SP Attribute Profile that was previously created (in this example Office365-attr-profile)
    • Click Save

SHA-1 Hash Algorithm for Digital Signatures

To configure OIF to use SHA-1 for signatures for the Office 365 SP partner, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the configureFedDigitalSignature() command:
    configureFedDigitalSignature(partner="PARTNER_NAME", partnerType="sp", algorithm="SHA-256/SHA-1")
    • Replace PARTNER_NAME with the name of the added partner
    • An example would be:
      configureFedDigitalSignature(partner="Office365", partnerType="sp”, algorithm="SHA-1")
  • Exit the WLST environment:
    exit()

OIF’s Signing Certificate in XML Digital Signatures

To configure OIF so that the Federation server will include its X.509 signing certificate in all outgoing signed SAML messages for the Office 365 SP partner, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the updatePartnerProperty() command:
    updatePartnerProperty("PARTNER_NAME", "sp", "includecertinsignature", "true", "boolean")
    • Replace PARTNER_NAME with the name of the added partner
    • An example would be:
      updatePartnerProperty("Office365", "sp", "includecertinsignature", "true", "boolean")
  • Exit the WLST environment:
    exit()

HTTP Basic Auth for ActiveSync Mail Integration

In the SAML 2.0 ECP flow, the Office 365 server will make a direct connection to OIF/IdP over SOAP over HTTPS and will post a SAML AuthnRequest message. Alongside the SOAP request, the HTTP request will contain the user’s credentials as part of the HTTP Basic Authentication headers.

OIF/IdP must be configured to use an OAM HTTP Basic Authentication scheme to validate those credentials. Also this operation must not result in an OAM session to be created, since this is rather a credential validation operation initiated by the Office 365 server, and not the user involved with OAM/OIF. For those reasons, OIF/IdP must be configured to use a scheme based on:

  • BASIC mode
  • With the challenge parameters containing the CookieLessMode=true entry

The BasicSessionlessScheme can be used for this flow.

Also, OIF must be configured to send "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" as a SAML 2.0 Authentication Method when the client is authenticated via the BasicSessionlessScheme.

To configure OIF to use HTTP Basic Authentication in the SAML 2.0 ECP flow, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the setSPPartnerAlternateScheme() command to instruct OIF to use BasicSessionlessScheme :
    setSPPartnerAlternateScheme(PARTNER_NAME, "true", httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".*Microsoft.Exchange..*", authnScheme="BasicSessionlessScheme")
    • Replace PARTNER_NAME with the name of the added partner
    • An example would be:
      setSPPartnerAlternateScheme("Office365", "true", httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".*Microsoft.Exchange..*", authnScheme="BasicSessionlessScheme")
  • Retrieve the OIF Fed partner profile used by the Office 365 SP partner in OIF (see next article for more information on Partner Profiles):
    getFedPartnerProfile(PARTNER_NAME "sp")
    • Replace PARTNER_NAME with the name of the added partner
    • An example would be:
      getFedPartnerProfile("Office365", "sp")
    • Write down the returned value
  • Execute the addSPPartnerProfileAuthnMethod() command to instruct OIF to send "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"  as the SAML 2.0 Authentication Method when the client is authenticated via BasicSessionlessScheme:
    addSPPartnerProfileAuthnMethod(PARTNER_PROFILE, "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "BasicSessionlessScheme")
    • Replace PARTNER_PROFILE with the value retrieved in the earlier step
    • An example would be:
      addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "BasicSessionlessScheme")
  • Exit the WLST environment:
    exit()

Testing


Browser SSO

To test the Browser SSO flows:

  • Open a browser
  • Go to http://office365.com
  • Click Sign In
  • Enter the user’s email address

Execute the following steps:

  • Click Next
  • Office 365 will attempt to locate your Office 365 domain based on the suffix of the email address
  • Once the domain has been located, Office 365 will trigger a Federation SSO flow to redirect you to OIF / IdP for authentication

Execute the following steps:

  • At OIF / IdP enter username/password (depending on the Authentication scheme used to authenticate Federated users, LDAPScheme in this example)
  • Click login

OIF/IdP will validate the credentials, create a SAML 2.0 Assertion and redirects the user back to Office 365 where the user will be granted access:

A sample SAML 2.0 Assertion sent by OIF / IdP to Office 365 would look like:

<samlp:Response ... Destination="https://login.microsoftonline.com/login.srf" ID="id--eBpq-cnpGfrWXMpBIjxN7QPQKa6WTVtnuZZr0Qe" InResponseTo="_d111d2a7-3475-4bc2-928f-34b83a4a0f64" IssueInstant="2014-01-18T16:58:05Z" Version="2.0">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://acme.com/oam/fed</saml:Issuer>
  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
  <saml:Assertion ID="id-nTZcRuTaECKj2X9wzUTn7e-CknyECbGljTSo1T70" IssueInstant="2014-01-18T16:58:05Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://acme.com/oam/fed</saml:Issuer>
    <dsig:Signature>
      <dsig:SignedInfo>
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <dsig:Reference URI="#id-nTZcRuTaECKj2X9wzUTn7e-CknyECbGljTSo1T70">
          <dsig:Transforms>
            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </dsig:Transforms>
          <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <dsig:DigestValue>6iKaxdO74Xi5eRnv0X7nsmN/y10=</dsig:DigestValue>
        </dsig:Reference>
      </dsig:SignedInfo>
      <dsig:SignatureValue>WYCBhIgPLafDeXroMSME80/QM...K/sNsI=</dsig:SignatureValue>
      <dsig:KeyInfo>
        <dsig:X509Data>
          <dsig:X509Certificate>MIIB+DCCAWGgA...plaoMZLcRoInVUbGTBDMfqmW5iZ/wjpzItg==</dsig:X509Certificate>
        </dsig:X509Data>
      </dsig:KeyInfo>
    </dsig:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://acme.com/oam/fed" SPNameQualifier="urn:federation:MicrosoftOnline">alice.appleton</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_d111d2a7-3475-4bc2-928f-34b83a4a0f64" NotOnOrAfter="2014-01-18T17:03:05Z" Recipient="https://login.microsoftonline.com/login.srf"/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-01-18T16:58:05Z" NotOnOrAfter="2014-01-18T17:03:05Z">
      <saml:AudienceRestriction>
        <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-01-18T16:58:05Z" SessionIndex="id-IM-SvfoQa8uVVtSmN-lrdOfgEVKFJHF8AhmIDzj-" SessionNotOnOrAfter="2014-01-18T17:58:05Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="IDPEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">alice.appleton@acme.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

ActiveSync Mail Application

For this test, I will add an Exchange email account on an iPhone. During the setup, the iPhone mail application will send the email address and password to Office 365 mail server, which will extract the user identifier from the email address and perform the SAML 2.0 ECP protocol with HTTP Basic Authentication.

Note: a similar flow would be exercised if the setup involved an Outlook Desktop application instead of the iPhone mail native application.

Perform the following steps to set up the iPhone with Office 365:

  • Go to Settings
  • Go to Mail
  • Add Account
  • Select Exchange

Perform the following steps:

  • Enter the email address (alice.appleton@acme.com in this example)
  • Password at OAM/OIF for the user (password for alice.appleton user; remember that the identifier will be used as the HTTP Basic Authentication username, alice.appleton in this example)

Perform the following steps:

  • Click Next
  • The mail application will send the user account information to Office 365 mail server
  • Office 365 mail server will interact with OIF / IdP via the SAML 2.0 ECP protocol to validate the data, with the user identifier and password sent via HTTP Basic Authentication to OIF / IdP

Upon successful validation, the iPhone will show:

After showing the successful validation, the iPhone will display a screen allowing the user to select which feature to enable. After selecting the features, save: the account will have been set up.

In the next article, I will discuss about an OIF configuration item called Partner Profiles.
Cheers,
Damien Carru

Comments:

congratulations

Posted by bravo on September 23, 2014 at 06:18 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« September 2015
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today