在ADFS 3.0中使用自定义身份验证/声明提供程序实现Office 365单一登录(RE:AADSTS90019) [英] Implementing Office 365 single sign-on using custom authentication/claims provider in ADFS 3.0 (RE: AADSTS90019)
问题描述
我在ADFS 3.0中成功配置了一个新的Claims Provider信任关系,该信任关系使我们可以使用单独的SAML IdP,并将ADFS 3.0作为SP。通过SAML IdP时,我们现在看到您已登录。因此,此部分工作正常(将SSO集成到ADFS 3.0中)。
I have a new Claims Provider Trust successfully configured in ADFS 3.0 that allows us to use a separate SAML IdP and let ADFS 3.0 be the SP. We now see "You are signed in" when we go through our SAML IdP. So this part works fine (SSO into ADFS 3.0).
但是,尝试访问Office 365应用现在会在 https://login.microsoftonline.com/login.srf :
However, attempting to access Office 365 apps now returns the following error by at https://login.microsoftonline.com/login.srf:
AADSTS90019:在
请求中或任何提供的凭据中均未找到任何标识租户的信息。
AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
有什么想法吗?我是否需要添加依赖方信任关系才能使Office 365也信任我们基于SAML的声明提供程序?
Any ideas? Do I need to add a Relying Party Trust to get Office 365 to also trust our SAML-based Claims Provider?
试图完成获得完全SSO版本的最后一步例如进入Outlook Web App,感觉就像我只是几个参数。
Trying to complete this last leg in getting fully SSO-ed into Outlook Web App, for example, and feel like I'm just a couple parameters away.
推荐答案
因此要正确执行此操作(通过ADFS中的自定义身份验证/声明提供程序将SSO导入Office 365),我们必须:
So to properly execute this (SSO into Office 365 via custom authentication/claims provider in ADFS), we have to:
- 允许传入的名称ID声明。向ADFS中的新索赔提供者添加声明规则,以传递名称ID。
- 将名称ID映射到相应的AD用户。向现有的 Microsoft Office 365身份平台依赖的信任方添加声明规则,以使用名称ID(根据需要的格式)查询AD,并返回必填字段:
UPN和ImmutableID。
- Allow the incoming Name ID claim. Add a Claim Rule to the new Claims Provider in ADFS to pass the Name ID through.
- Map the Name ID to the corresponding AD user. Add a Claim Rule to the existing Microsoft Office 365 Identity Platform relying trust party to query AD using the Name ID (format as needed) and return the fields required:
UPNandImmutableID.
新的索赔提供者的索赔规则的范本:
Vanilla example of claim rule for the new Claims Provider:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(claim = c);
使用名称ID查询AD并返回 UPN的示例和 ImmutableID :
Example of using the Name ID to query AD and return the UPN and ImmutableID:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;DOMAIN\{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
最后,您应该在Claims Provider中对传入的索赔添加一些过滤以提高安全性(即仅允许与您域的电子邮件后缀相匹配的传入声明。)
Finally, you should add some filtering on the incoming claims in the Claims Provider for added security (i.e. only allow incoming claims matching your domain's email suffix, etc.)
这篇关于在ADFS 3.0中使用自定义身份验证/声明提供程序实现Office 365单一登录(RE:AADSTS90019)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
