I have a new Claims Provider Trust successfully configured in ADFS 3.0 that allows us to use a separate SAML IdP and let ADFS 3.0 be the SP. We now see "You are signed in" when we go through our SAML IdP. So this part works fine (SSO into ADFS 3.0).
However, attempting to access Office 365 apps now returns the following error by at https://login.microsoftonline.com/login.srf:
AADSTS90019: No tenant-identifying information found in either the
request or implied by any provided credentials.
Any ideas? Do I need to add a Relying Party Trust to get Office 365 to also trust our SAML-based Claims Provider?
Trying to complete this last leg in getting fully SSO-ed into Outlook Web App, for example, and feel like I'm just a couple parameters away.
So to properly execute this (SSO into Office 365 via custom authentication/claims provider in ADFS), we have to:
- Allow the incoming Name ID claim. Add a Claim Rule to the new Claims Provider in ADFS to pass the Name ID through.
- Map the Name ID to the corresponding AD user. Add a Claim Rule to the existing Microsoft Office 365 Identity Platform relying trust party to query AD using the Name ID (format as needed) and return the fields required:
UPN
and ImmutableID
.
Vanilla example of claim rule for the new Claims Provider:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(claim = c);
Example of using the Name ID to query AD and return the UPN
and ImmutableID
:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;DOMAIN\{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
Finally, you should add some filtering on the incoming claims in the Claims Provider for added security (i.e. only allow incoming claims matching your domain's email suffix, etc.)