O365 SAML

Innen: KIFÜ Wiki

Az Office365 szolgáltatások SAML azonosítással történő használatához egy új SP-t kell konfigurálni az IdP konfigurációjában, mivel ez az SP nem szerepel a föderációs metaadatok között. A Microsoft által üzemeltetett SP-nek speciális attribútum igényei vannak:

  • perzisztens NameID-t kell küldeni (ImmutableID)
  • kell küldeni egy IDPEmail nevű attribútumot

Kiadott attribútumok

ImmutableID

Az ImmutableID az eduPersonPrincipalName attribútum MD5 hashének UUID formátumra konvertált változata.

IDPEmail

A kiadott e-mail értéknek meg kell egyeznie az Office365 által szolgáltatott e-mail címmel. Ez azt is jelenti, hogy az IdP-től kapott e-mail attribútum domain részét előzetesen validálni kell az Office365-ben.

SimpleSAMLphp

A metadata/saml20-sp-remote.php file-ba kell elhelyezni a következő bejegyzést:

/* 
 * Office 365
 * https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
 */
$metadata['urn:federation:MicrosoftOnline'] = array(
  'entityid' => 'urn:federation:MicrosoftOnline',

  // Expose both required attributes 
  'attributes' => array('IDPEmail', 'ImmutableID'),
  'attributes.NameFormat' => "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",

  // Configure attribute mapping and ImmutableID generation
  'authproc' => array(
    31 => array(
      'class' => 'core:PHP',
      'code' => '
        $eppn = $attributes["eduPersonPrincipalName"][0];
        $chunks = str_split(md5($eppn), 4);        
        $attributes["ImmutableID"][0] = vsprintf("%s%s-%s-%s-%s-%s%s%s", $chunks);
      ',
    ),
        36 => array(
      'class' => 'core:AttributeMap',
      'mail' => 'IDPEmail',
    ),
  ),

  // Send ImmutableID as a "persistent" NameID
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
  'simplesaml.nameidattribute' => 'ImmutableID',

  'contacts' => array(),
  'metadata-set' => 'saml20-sp-remote',

  'AssertionConsumerService' => array(
    0 => array(
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://login.microsoftonline.com/login.srf',
      'index' => 0,
      'isDefault' => true,
    ),
    1 => array(
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
      'Location' => 'https://login.microsoftonline.com/login.srf',
      'index' => 1,
    ),
    2 => array(
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',
      'Location' => 'https://login.microsoftonline.com/login.srf',
      'index' => 2,
    ),
  ),
  'SingleLogoutService' => array(
    0 =>
    array(
    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    'Location' => 'https://login.microsoftonline.com/login.srf',
    ),
  ),

  'keys' => array(
    0 => array(
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIDYDCCAkigAwIBAgIJALLJPAyvf2sjMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
        BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xNDA3MTgxOTUz
        NDBaFw0xOTA3MTcxOTUzNDBaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
        bmcgUHVibGljIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYD
        KgByFZdqtTnnpF4IfIp4i2XLg2rLIo+mu4DmW9gRLlBJCNc7YESUxpKzuFYaANd8
        fWsDigJZTXbhOQApSpw4xXFnor2vJ1zm94LtqjcVEXTjUml5gAIS4pwuOU3ZfO/0
        eTG0gDYp4a0L/mzzTRsnwe/8WMPIE75Bq2zAyAZ9aePvl3QX7cXYLPfeK4QTgK3B
        5lwe1wWu3y5oQidjcSok8Frf80xzuCYuOa+ZUK3JibpLLCrT4uwiqf+KREDSdc4b
        PPlq0PWI4sQr1tha8yypRSvOH+/MxcfSRSnl6Uc+gm8nVEEWWIu4hhu6NIfG91mM
        UqJuzkgLCi6Gov6JS8UCAwEAAaOBijCBhzAdBgNVHQ4EFgQUnQoq7sI3R8rde4sQ
        s6nGEbJm3LcwWQYDVR0jBFIwUIAUnQoq7sI3R8rde4sQs6nGEbJm3LehLaQrMCkx
        JzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJALLJPAyv
        f2sjMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEAf4jaNhKzRG3k+52W
        oM9nnISP7rlWIeWwH6EQGUlF6ozSP/03gYMAdqpdhww5zNwKzi7TQVbDC0pgq/tq
        zHv6JEI0R4B6h7/TJ1pYPxdvIFQrE27RHESltH/m+5UkVnayLqRD3/fi4zf4aEpx
        SDZ73MCR5LanPGqvlAMz29AL3g1ynj+eu7xMfFsM/8+qJaCXuxT5/30eeLEe+PYi
        kA/PhEwp+qkDQWPvdAwEghuUaFvtKAgDZierjpGzHZnYkXTTDTHVe1iP7tsAJH5q
        K3qdcv3UGPyZrjC/lietJcAcnwVoZQ93v2ieGfcKKN+PFN9M59/BkPo62HPoGNNx
        2ZDQaQ==',
    ),
    1 => array(
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIDYDCCAkigAwIBAgIJAKLDsqkylLefMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
        BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xNDEwMTAxODE2
        MTNaFw0xOTEwMDkxODE2MTNaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
        bmcgUHVibGljIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7A
        3m6uvOxEsX+NlB1hnflaR8DJj597wY3qyh/FX4O6rKvU2leAfINmBWcjEFApCKi9
        p5uIaZpNlDpPQ+R3BaZx+4NhHbOMpeWlpIiZHL61lwbulzurffUPhtzQNHAVzOBk
        ZsOgN9BD/hOleU//d+IXz08ateUb3Ip2vyaodilYQDDi5M9yOhanv1cO1Usjo2xT
        LfiK+TVygu+8bo+/8JHGPRy6pnghng970DRBDkVrKzozlrnmMesdSrtuCnsgyRbE
        XckxaQ8S2nDYyFqBI0PkcBW8+0akdFWW58Os5cGbPFeHi6vtZCR5pWw5pnqtuoip
        rdk9jg1axT3vwu+RVdcCAwEAAaOBijCBhzAdBgNVHQ4EFgQUBjNylGJBvkAY/4yI
        IoD00R6p5hIwWQYDVR0jBFIwUIAUBjNylGJBvkAY/4yIIoD00R6p5hKhLaQrMCkx
        JzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAKLDsqky
        lLefMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEAQGZUlJ3zzJvy1OLd
        tV3NTYHlbVHm3Fty17xqW9Ui8GE8sEWeUdHA6eURNNpNpd+gAGC6Tp+k+cU1LlPw
        Xm7BAATJ/2DjY8tzRc6r6EneQWRkIa8xpbvknXvUml6iFgo2ofOWLaFk6XpQ64MA
        O35wv9XEARNabJ9wJSRSevUigAx2U2GvaorV5PgqHImiKTSrL0K6j8B4OqXWUqP0
        KGf7pCdGlrq2XEl95N2zj8n/scvA9JasImztsVlZ+WxeF+OAMvWQQFc54gC6lwWc
        8kno8vPn3lwxVkTU0o9wcHnOhNi2hzVDV85sz7P9dOZYF73uy1uLshdjCcwlmQ2l
        A9OV9w==',
    ),
  ),
  'saml20.sign.assertion' => true,
   // This metadata does not contain an encryption key,
   // therefore explicitly disabling assertion encryption so it does not depend on global IDP settings.
  'assertion.encryption' => false,
);

Shibboleth