I like your solution better! That'll take care of my current issue where attributes aren't being returned by CAS when I delegate to ADFS.
Geoff, from the sound of this it will work better. If this is feasible for you to do, I'd say Eric's solution is a lot better than mine. On 2013 Jun 18, at 4:14 PM, "Pierce, Eric" <epie...@usf.edu<mailto:epie...@usf.edu>> wrote: We've gone the O365 <-> ADFS <-> Shib <-> CAS route and although it can be a bit of work to get configured, I think it's the best of both worlds - full compatibility with Microsoft applications (including all the desktop clients) through ADFS and compatibility with other Shibboleth institutions (InCommon, etc). Here's some tips to get everything working together - if you'd like more details let me know. * Install ADFS and get it connected to your Office365 instance. Just follow the standard MS instructions (http://www.microsoft.com/en-us/download/details.aspx?id=28971) and don't worry about Shibboleth or CAS as first. That way you can get your Office365 pilot up and running - just let people know the login process will change once the ADFS/Shibboleth/CAS integration is complete. * Get CAS and Shibboleth working together: https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration * Configure ADFS to trust Shibboleth as an Identity Provider: http://go.microsoft.com/fwlink/?LinkId=207916 (That guide is geared towards Sharepoint 2010, but it has all the necessary ADFS/Shib info) * If you follow the directions in that whitepaper you'll release email address and a few other attributes from Shibboleth and convert them to ADFS claims. To get Office365 working, you'll need to release one more attribute: WindowsAccountName * Shibboleth has the ability to dynamically generate attribute values using Javascript and I'm using that generate the WindowsAccountName attribute since that value is not actually stored in AD. Here's the code from attribute-resolver.xml You should be able to replace FOREST with the name of your domain and release WindowsAccountName to your ADFS server. <!-- Windows Account Name --> <!-- Since this value isn't stored in AD, we have to create it. The format is DOMAIN\samaccountname --> <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="WindowsAccountName"> <resolver:Dependency ref="uid" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="WindowsAccountName" friendlyName="WindowsAccountName" /> <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed --> <Script><![CDATA[ importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); if (WindowsAccountName == null) WindowsAccountName = new BasicAttribute("WindowsAccountName"); WindowsAccountName.getValues().add("FOREST\\"+uid.getValues().get(0)); ]]></Script> </resolver:AttributeDefinition> * Create a new "Acceptance Transform Rule" in ADFS to convert the WindowsAccountName attribute from Shibboleth to an ADFS claim: c:[Type == "WindowsAccountName", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename";] == "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname";, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); * At this point, when you go to Office365, you should get redirected to the ADFS "realm discovery" page that contains a dropdown that lets you select between 'Active Directory' and Shibboleth for login (You may need to clear out your cookies to see this page) * When you select Shibboleth, you should get redirected to the CAS login page. * Once you've authenticated, you should get redirected back through Shibboleth and ADFS to your O365 inbox. The final step in making this a seamless hand-off between ADFS, Shibboleth, and CAS is modifying the ADFS realm discovery page (http://msdn.microsoft.com/en-us/library/windows/desktop/bb625464(v=vs.85).aspx). * Add a Javascript function to select the Shibboleth Identity Provider and submit the selection form automatically * Add CSS to set 'display:none;' for all of the elements on the page * Modify the ADFS web.config: <persistIdentityProviderInformation enabled=“false“ lifetimeInDays=“30“ /> -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edu<mailto:epie...@usf.edu> ________________________________________ From: Tim McLaughlin [tim.mclaugh...@wwu.edu<mailto:tim.mclaugh...@wwu.edu>] Sent: Tuesday, June 18, 2013 1:55 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: Re: [cas-user] Office 365, SAML2.0 and CAS We are just about to go live with our O365/Shibboleth/CAS setup... We're not using ADFS (yet) but hope to go that route in the future. Using Shibboleth is fine for Web-based applications plus things like Outlook and mobile devices. As I understand it, it's not going to work for Lync or some of the other things O365 offers. As far as using O365 with Shibboleth, check out this set of pages from MS: http://technet.microsoft.com/en-us/library/jj205456.aspx There is also a white paper that takes you through the whole process (O365 + Shibboleth), here: http://www.microsoft.com/en-us/download/details.aspx?id=35464 As for Shibboleth using CAS, take a look here (mentioned below, just included here for completeness): https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration :) Tim On 2013/06/18 10:05 AM, "Whittaker, Geoffrey" <geoff.whitta...@unf.edu> wrote: >42. Got it... ;) > >I appreciate the help. I'm about to start trying to stand up the shib >box this afternoon. I'll follow the stuff in the two links and see where >that gets me. > >Do you use two separate servers in production? I'm toying with the idea >of hosting two separate Tomcat instances on one box. > >If you would, give me one last sanity check... > >1. Client goes to O365 and gets directed to SHIB >2. SHIB gets credentials and passes them to CAS for Authentication >(presume success) >3. SHIB goes to ADFS to get the attributes and sends them via SAML 2.0 to >O365 > >Is that how this is supposed to work? I hope so... :) > > >Geoff > >-----Original Message----- >From: Joel Goguen [mailto:joel.gog...@unb.ca] >Sent: Tuesday, June 18, 2013 11:41 AM >To: cas-user@lists.jasig.org >Subject: Re: [cas-user] Office 365, SAML2.0 and CAS > >I think it would be easier to go with what you have right now and fill in >the gaps. Beyond the links I included, the only way to get more specific >would be (I think) to start posting my configuration files, which may end >up being more confusing if you've gotten used to your current layout and >it's markedly different. > >What do you mean by 'how I have secured it"? Who is allowed to use it? >All users with a valid account in good standing. What services use CAS or >Shib? We prefer CAS where possible, Shibboleth for services that don't >support CAS. Something else? 42 is the answer to life, the universe, and >everything. :) > >On 2013 Jun 18, at 11:55 AM, "Whittaker, Geoffrey" ><geoff.whitta...@unf.edu> wrote: > >> Thank you for replying. >> >> I'm having to take a crash course on Shib, CAS, ADFS, and O365. Can >>you explain in a little more detail how you configured this to work, and >>how you secured it? I have to try to get something running here in the >>next few days. >> >> Thanks again for your help. >> >> Geoff >> >> -----Original Message----- >> From: Joel Goguen [mailto:joel.gog...@unb.ca] >> Sent: Monday, June 17, 2013 11:07 AM >> To: cas-user@lists.jasig.org >> Subject: Re: [cas-user] Office 365, SAML2.0 and CAS >> >> On 2013 Jun 17, at 11:57 AM, Marvin S. Addison >><marvin.addi...@gmail.com> wrote: >> >>>> Is there any documentation about the configuration you described? >>>> I've never worked with Shibolith, ADFS, or O365. >>> >>> I'm not aware of any, but I honestly haven't looked very hard. We >>>abandoned the integration effort I mentioned before we got to the point >>>of developing a detailed implementation plan. I am aware that there are >>>folks in the CAS community that have done this (USF), so maybe they can >>>speak up. >>> >>> M >> We're in the process of setting up CAS <-> ADFS <-> O365 right now. >>I've not yet tested the full chain, but the fact that the CAS <-> ADFS >>link works perfectly and the ADFS <-> O365 link works perfectly suggests >>to me that the whole thing should be a smooth transition. We also have >>Shibboleth in the mix, but for us Shibboleth delegates to CAS so a user >>accessing a Shibboleth service currently follows a Shib <-> CAS link, >>and after the switch will follow Shib <-> CAS <-> ADFS. >> >> I used https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration >>to set up the Shib/CAS link, and >>http://sites.ewu.edu/jgasper/ws-federation-cas-user-manual/ to set up >>the CAS/ADFS link. >> >> -- >> Joel Goguen >> Developer / System Administrator >> Enterprise Solutions >> Information Technology Services >> University of New Brunswick >> E-mail: joel.gog...@unb.ca >> Phone: (506) 453-4872 >> Fax: (506) 453-3590 >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> geoff.whitta...@unf.edu To unsubscribe, change settings or access >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> joel.gog...@unb.ca To unsubscribe, change settings or access archives, >> see http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > >-- >Joel Goguen >Developer / System Administrator >Enterprise Solutions >Information Technology Services >University of New Brunswick >E-mail: joel.gog...@unb.ca >Phone: (506) 453-4872 >Fax: (506) 453-3590 > > >-- >You are currently subscribed to cas-user@lists.jasig.org as: >geoff.whitta...@unf.edu >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > >-- >You are currently subscribed to cas-user@lists.jasig.org as: >tim.mclaugh...@wwu.edu >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: epie...@usf.edu<mailto:epie...@usf.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: joel.gog...@unb.ca<mailto:joel.gog...@unb.ca> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Joel Goguen Developer / System Administrator Enterprise Solutions Information Technology Services University of New Brunswick E-mail: joel.gog...@unb.ca<mailto:joel.gog...@unb.ca> Phone: (506) 453-4872 Fax: (506) 453-3590 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
