shibboleth_logoRecently I was implementing a shibboleth environment (SAML2.0 Identity Federation for Office 365) for a customer. As Single-Sign-On (SSO) Solutions are always challenging, this one was in particular. It was a goal to be able to Sign-In to shibboleth using the full mail address as different FQDN’s are being in use. Microsoft does still support only sAMAccountNames on this.  (See shibboleth & Office 365 whitepaper)At this point I anticipate, the whole 112 pages of the whitepaper have been read and configured by you. 😉 The whitepaper itself is actually really useful, though some parts are not any more valid (as PAOS Endpoint Configuration). I will write something on that in the near future as well.

At the first step it is necessary to change Shib2IDP/conf/login.conf in the userField to userPrincipalName

[code language=”xml”] edu.vt.middleware.ldap.jaas.LdapLoginModule required
host=”dc1.devsystem.local”
port=”389″
base=”ou=dev,DC=devsystem,DC=local”
tls=”false”
ssl=”false”
serviceCredential=“REM”
userRoleAttribute=”userPrincipalName”
serviceUser=”adreader@devsystem.local”
subtreeSearch = “true”
userField=”userPrincipalName”;
[/code] Second, open tomcat/conf/server.xml. Here we will change BASIC Auth Source of the SOAP/ECP Endpoint to sAMAccountName (userSearch field)
[code language=”xml”] <Realm className=”org.apache.catalina.realm.JNDIRealm”
debug=”99″
connectionURL=”ldap://dc1.devsystem.local:389″
authentication=”simple”
referrals=”follow”
connectionName=”CN=adreader shibboleth,CN=Users,DC=devsystem,DC=local”
connectionPassword=“REM”
userSearch=”(sAMAccountName={0})”
userBase=”OU=users,DC=devsystem,DC=local”
userSubtree=”true”
allRolesMode = “authOnly” />
<!–
–>
[/code]

And now comes the trick, as SSO through the web portal should be configured to userPrincipalName, Microsoft on the other hand only supports sAMAccountName’s on the active endpoints, we adapt the AttributeResolver to handle both scenarios. Shib2IDP/conf/attribute-resolver.conf
Just adjust the filter template to accept both attributes, the ECP Endpoint will resolve with sAMAccountName, the POST/SSO Endpoint will resolve with userPrincipalNames.

[code language=”xml”] <resolver:DataConnector id=”myLDAP” xsi:type=”LDAPDirectory” xmlns=”urn:mace:shibboleth:2.0:resolver:dc”
useStartTLS=”false”
ldapURL=”ldap://dc1.devsystem.local:389″ baseDN=”ou=dev,DC=devsystem,DC=local” principal=”adreader@devsystem.local”
principalCredential=“REM”>

[/code] Voila, Office 365 SSO with shibboleth does now support login with userPrincipalNames which comes quite handy in large organisations. If you got any questions, don’t hesitate to post your comment or send me an email.