Forum Discussion

MiLK_MaN's avatar
MiLK_MaN
Icon for Nimbostratus rankNimbostratus
Dec 15, 2016

Sharepoint Online persistent SSO with APM SAML

Hi all,

 

We have an APM configuration working successfully with SAML SSO to Office365.

 

What we'd like to do now is work out whether we can manipulate the timeout settings for users hitting Sharepoint Online. Microsoft have an online article at https://technet.microsoft.com/en-us/library/mt148493(v=ws.11).aspx for doing this with ADFS, but I believe that ADFS uses WS-Fed and not SAML and therefore we don't know if there is an equivalent SAML attribute to pass through to Sharepoint Online to achieve the same thing.

 

Has anyone done this before and able to advise whether such an attribute exists?

 

APM
security

6 Replies

Sort By
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Dec 16, 2016

    So, I looked at the article and further PSSO definition, and I don't quite fully understand exactly how it works yet - but I am guessing that if ADFS sets PSSO cookie and sends that claim to Azure AD, then Azure AD will be sending persistent cookies for Sharepoint Online to the browser. Do you know if that is the case?

     

    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Dec 19, 2016

      No idea. We were on a call with Microsoft, but unfortunately they only knew how to configure the ADFS portion and had no idea what transpires at a protocol level.

       

      One of my colleagues did find this information which looks promising though:

       

      ' target="_blank" rel="nofollow">http://schemas.microsoft.com/2014/03/psso">; true

       

      Dug around looking to convert MS Claims to SAML; found a bunch of stuff but this was most interesting.

       

      https://github.com/AzureAD/azure-activedirectory-library-for-ruby/blob/master/spec/fixtures/wstrust/too_many_security_tokens.xml

       

      The customer is not keen for us to be experimenting in their environment, so would be great to get some information whether this would be the solution to their issue and whether anything needs to be done on the Azure side of things.

       

    • Michael_Koyfman's avatar
      Michael_Koyfman
      Icon for Cirrocumulus rankCirrocumulus
      Dec 19, 2016

      Yes, the problem is that it's from WS-Trust format. Normally, AzureAD is consuming a SAML 1.1 payload wrapped in WS-Trust wrapper, ultimately this is called WS-Fed. :)

       

      So, I've tried to send similar attributes to them via SAML 2.0, and they are getting ignored and persistent SSO does not seem to happen. We need to find out from Microsoft whether they are capable of ingesting any SAML attributes when federating using logon using SAML instead of WS-Fed.

       

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Dec 16, 2016

    So, I looked at the article and further PSSO definition, and I don't quite fully understand exactly how it works yet - but I am guessing that if ADFS sets PSSO cookie and sends that claim to Azure AD, then Azure AD will be sending persistent cookies for Sharepoint Online to the browser. Do you know if that is the case?

     

    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Dec 19, 2016

      No idea. We were on a call with Microsoft, but unfortunately they only knew how to configure the ADFS portion and had no idea what transpires at a protocol level.

       

      One of my colleagues did find this information which looks promising though:

       

      ' target="_blank" rel="nofollow">http://schemas.microsoft.com/2014/03/psso">; true

       

      Dug around looking to convert MS Claims to SAML; found a bunch of stuff but this was most interesting.

       

      https://github.com/AzureAD/azure-activedirectory-library-for-ruby/blob/master/spec/fixtures/wstrust/too_many_security_tokens.xml

       

      The customer is not keen for us to be experimenting in their environment, so would be great to get some information whether this would be the solution to their issue and whether anything needs to be done on the Azure side of things.

       

    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Dec 19, 2016

      Yes, the problem is that it's from WS-Trust format. Normally, AzureAD is consuming a SAML 1.1 payload wrapped in WS-Trust wrapper, ultimately this is called WS-Fed. :)

       

      So, I've tried to send similar attributes to them via SAML 2.0, and they are getting ignored and persistent SSO does not seem to happen. We need to find out from Microsoft whether they are capable of ingesting any SAML attributes when federating using logon using SAML instead of WS-Fed.