Thanks for the reply Robert Bond! So if I understand this: 1) I have to add an objectclass like the uidObject to have a uid parameter at the OpenLdap for each user in the ldap. This parameter doesn't have to change for the user never. 2) Configure the cas.properties like yours with the parameter from the ldap:
cas.samlSP.office365.metadata= *https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml* cas.samlSp.office365.name=office365 cas.samlSp.office365.description=Office365 Integration cas.samlSp.office365.nameIdAttribute=*uid* cas.samlSp.office365.attributes=mail,*uid* 3) Configure the service like yours: { "id" : 23, "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "evaluationOrder" : 23, "metadataLocation" : "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml";, "metadataExpirationDuration" : "PT60M", "signAssertions" : false, "skipGeneratingAssertionNameId" : false, "skipGeneratingSubjectConfirmationInResponseTo" : false, "skipGeneratingSubjectConfirmationNotOnOrAfter" : false, "skipGeneratingSubjectConfirmationRecipient" : false, "skipGeneratingSubjectConfirmationNotBefore" : true, "signResponses" : true, "encryptAssertions" : false, "metadataCriteriaRoles" : "SPSSODescriptor", "metadataCriteriaRemoveEmptyEntitiesDescriptors" : true, "metadataCriteriaRemoveRolelessEntityDescriptors" : true, "signingCredentialType" : "BASIC", "serviceId" : "urn:federation:MicrosoftOnline", "name" : "office365", "description" : "Office 365", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", *"usernameAttribute" : "uid",* "canonicalizationMode" : "NONE", "encryptUsername" : false }, "logoutType" : "BACK_CHANNEL", "logoutUrl" : "https://login.microsoftonline.com/login.srf";, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true } } And now how can be tested properly? Because from the O365 side they don't know that I have made changes from my local CAS to allow the login with my TGC. Let me know if I'm approaching to the right path! El martes, 2 de julio de 2019, 17:06:44 (UTC+2), Robert Bond escribió: > > > Let me know if the below makes since. > > For the integration you need to pass the attributes as follows: > > cas.samlSP.office365.metadata= > https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml > > <https://www.google.com/url?q=https%3A%2F%2Fnexus.microsoftonline-p.com%2Ffederationmetadata%2Fsaml20%2Ffederationmetadata.xml&sa=D&sntz=1&usg=AFQjCNEz1tzkIfEw8mu_UMi0VfFI_5xfTg> > cas.samlSP.office365.name=O365 > cas.samlSP.office365.description=O365 Integration > cas.samlSP.office365.nameIdAttribute=Something from your openldap that > does not change. like objectguid in Active Directory. need to sync this to > o365 as the immuatbleId > cas.samlSP.office365.attributes=mail 'from your openldap', objectguid > 'your immutableId again' > > > On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote: >> >> Hello. >> >> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and >> connected to a OpenLdap so my users can login with the uid and the mail. >> This CAS is actually providing SSO between Alfresco and Liferay. >> >> I want to add the SSO with Office365 but only for a particular public >> domain and there are some questions: >> >> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> or the one with my EntityID provided from the Portal Azure Admin section? >> 2.- How to map the mail in the OpenLdap to be the same at O365 account? >> It's suposed the idp will map in the cas.samlSp.office365.attributes? >> >> adding this to my cas.properties should be enough? >> >> #/etc/cas/saml/frommsoft/federationmetadata.xml from >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml >> cas.samlSp.office365.name=O365 >> cas.samlSp.office365.description=Office365 Integration >> cas.samlSp.office365.nameIdAttribute=scopedImmutableID >> cas.samlSp.office365.attributes=IDPEmail,ImmutableID >> >> Thanks for your comments. >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6135417-a7ec-487d-ba3a-387461d0c72d%40apereo.org.
