Office 365 - Configuração no Shibbboleth IDP

Durante essa etapa serão manipulados os seguintes arquivos:

/opt/shibboleth-idp/conf/relying-party.xml
/opt/shibboleth-idp/conf/saml-nameid.xml
/opt/shibboleth-idp/conf/attribute-resolver.xml
/opt/shibboleth-idp/conf/attributes/custom/ImmutableID.properties
/opt/shibboleth-idp/conf/attributes/custom/UserId.properties
/opt/shibboleth-idp/conf/metadata-providers.xml
/opt/shibboleth-idp/metadata/office365-md.xml
/opt/shibboleth-idp/conf/attribute-filter.xml

É fortemente recomendada a realização de backup do IDP antes de executar esse procedimento

No arquivo /opt/shibboleth-idp/conf/relying-party.xml, sob o item <util:list id="shibboleth.RelyingPartyOverrides">, adicione a configuração abaixo:

<bean id="Office365" parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline">
   <property name="profileConfigurations">
      <list>
         <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" />
         <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
      </list>
   </property>
</bean>

Já no arquivo /opt/shibboleth-idp/conf/saml-nameid.xml, dentro do item <util:list id="shibboleth.SAML2NameIDGenerators">, adicione a configuração abaixo:

<!-- CAFe- Persistent NameID -->
<bean parent="shibboleth.SAML2PersistentGenerator">
   <property name="activationCondition">
      <bean parent="shibboleth.Conditions.NOT">
         <constructor-arg>
            <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" />
         </constructor-arg>
      </bean>
   </property>
</bean>

<!-- CAFe - Persistent NameID exclusivo para Microsoft -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:omitQualifiers="true"
      p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
      p:attributeSourceIds="#{ {'ImmutableID'} }">
   <property name="activationCondition">
      <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" />
   </property>
</bean>

Para criar os atribututos que serão usados (ImmutableID e UserId), altere o arquivo /opt/shibboleth-idp/conf/attribute-resolver.xml adicionando as linhas a seguir:

<!-- CAFe - ImmutableID para Microsoft -->
<AttributeDefinition xsi:type="Simple" id="ImmutableID">
   <InputDataConnector ref="dcLDAP" attributeNames="entryUUID"/>
</AttributeDefinition>

<!-- CAFe - UserId para Microsoft -->
<AttributeDefinition scope="%{idp.scope}" xsi:type="Scoped" id="UserId">
   <InputDataConnector ref="dcLDAP" attributeNames="uid"/>
 </AttributeDefinition>

Ainda no arquivo /opt/shibboleth-idp/conf/attribute-resolver.xml, adicione o atributo entryUUID à lista de atributos retornaveis do dataconnector dcLDAP. Exemplo:

<ReturnAttributes>%{idp.authn.LDAP.returnAttributes} mail cn givenName sn brPersonCPF schacDateOfBirth entryUUID</ReturnAttributes>

O uso dos atributos entryUUID e uid é apropriado para ambientes OpenLDAP. Caso esteja utilizando outro diretório deve-se substituí-los pelos atributos correspondentes. Ex.: AD - entryUUID > objectGUID e uid > sAMAccountName.

Crie o arquivo /opt/shibboleth-idp/conf/attributes/custom/ImmutableID.properties com o seguinte conteúdo:

# Microsoft Entra ImmutableID

id=ImmutableID
transcoder=SAML2StringTranscoder
displayName.en=Microsoft Entra ImmutableID
displayName.pt-br=Microsoft Entra ImmutableID
description.en=Microsoft Entra ImmutableID
description.pt-br=Microsoft Entra ImmutableID
saml2.name=urn:oid:1.2.840.113556.1.4.2
saml1.encodeType=false

Crie o arquivo /opt/shibboleth-idp/conf/attributes/custom/UserId.properties com o seguinte conteúdo:

# Microsoft Entra User ID

id=UserId
transcoder=SAML2ScopedStringTranscoder
displayName.en=Microsoft Entra User ID
displayName.pt-br=Microsoft Entra User ID
description.en=Microsoft Entra User ID
description.pt-br=Microsoft Entra User ID
saml2.name=urn:oid:0.9.2342.19200300.100.1.1
saml1.encodeType=false

Para configurar o provedor de metadados, altere o arquivo /opt/shibboleth-idp/conf/metadata-providers.xml e adicione a configuração abaixo:

<MetadataProvider id="Office365" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/microsoft-md.xml"/>

A seguir baixe o arquivo de metadados da Microsoft e armazene-o no local apropriado e remova a linha <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>.

wget https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml -O /opt/shibboleth-idp/metadata/microsoft-md.xml

Por fim, altere o arquivo /opt/shibboleth-idp/conf/attribute-filter.xml incluindo a política de liberação de atributos para o Microsoft Entra.

<AttributeFilterPolicy id="PolicyForMicrosoftEntra">
   <PolicyRequirementRule xsi:type="Requester" value="urn:federation:MicrosoftOnline" />
   
   <AttributeRule attributeID="UserId">
      <PermitValueRule xsi:type="ANY"/>
   </AttributeRule>
   
   <AttributeRule attributeID="ImmutableID">
      <PermitValueRule xsi:type="ANY"/>
   </AttributeRule>

</AttributeFilterPolicy>

PreviousIntegrando o Office 365 com Shibboleth IDP NextOffice 365 - Configuração no Microsoft Entra

Last updated 1 year ago

Was this helpful?

<bean id="Office365" parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:MicrosoftOnline"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" /> <bean parent="SAML2.ECP" p:encryptAssertions="false" p:signAssertions="true" p:signResponses="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </list> </property> </bean>

<bean parent="shibboleth.SAML2PersistentGenerator"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" /> </constructor-arg> </bean> </property> </bean>  <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" p:attributeSourceIds="#{ {'ImmutableID'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="urn:federation:MicrosoftOnline" /> </property> </bean>

 <AttributeDefinition xsi:type="Simple" id="ImmutableID"> <InputDataConnector ref="dcLDAP" attributeNames="entryUUID"/> </AttributeDefinition>  <AttributeDefinition scope="%{idp.scope}" xsi:type="Scoped" id="UserId"> <InputDataConnector ref="dcLDAP" attributeNames="uid"/> </AttributeDefinition>

# Microsoft Entra ImmutableID id=ImmutableID transcoder=SAML2StringTranscoder displayName.en=Microsoft Entra ImmutableID displayName.pt-br=Microsoft Entra ImmutableID description.en=Microsoft Entra ImmutableID description.pt-br=Microsoft Entra ImmutableID saml2.name=urn:oid:1.2.840.113556.1.4.2 saml1.encodeType=false

# Microsoft Entra User ID id=UserId transcoder=SAML2ScopedStringTranscoder displayName.en=Microsoft Entra User ID displayName.pt-br=Microsoft Entra User ID description.en=Microsoft Entra User ID description.pt-br=Microsoft Entra User ID saml2.name=urn:oid:0.9.2342.19200300.100.1.1 saml1.encodeType=false

<AttributeFilterPolicy id="PolicyForMicrosoftEntra"> <PolicyRequirementRule xsi:type="Requester" value="urn:federation:MicrosoftOnline" /> <AttributeRule attributeID="UserId"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="ImmutableID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>