Forum Discussion

2funky_105078's avatar
2funky_105078
Icon for Cirrus rankCirrus
Jan 04, 2017

SAML APM with Office 365

Hello,

 

Armed with all good intentions, i have been trying to setup for days a lab for testing SAML with O365. I have a O365 subscriptions with my private live.com account, but not sure how it would work with that, as the domain part of the email address should be used to redirect to the IdP. Then, I tried with my own private domain (which points to my ADSL router via dyn.com), but then I dont have a O365 subscription with that domain, so catch 22.

 

Does anybody have a detailed step by step guide how to setup such a lab? So far i found plenty of general information about SAML, how it works and how easy is supposed to be, but no step by step guide. SAML deployment guide using iApp is quite cryptic too.

 

maybe somebdoy can post agility 2016 lab, i heard somebody did a lab there? or how does it work in practice?

 

Thanks in advance and happy 2017!!

 

APM
cloud
office 365
saml
security

4 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 04, 2017

    In order to federate users using APM, you actually need to have your own Active Directory environment and setup Azure AD Connect there to replicate your users to Azure AD, and only then you can setup federation. From your description above, it does not sound like you have your own Active Directory environment running....

     

    • 2funky_105078's avatar
      2funky_105078
      Icon for Cirrus rankCirrus
      Jan 06, 2017

      Thanks Michael. Indeed, i created my AD with my domain and installed AD connect, so that my Azure AD is constantly synced with my local AD. I could also log into O365 from MSFT login page. I did not configured the ADFS role.

       

      Then, I configured the iApp , where i put as Entity ID

       

      I connect to my VIP which authenticates me to my local AD and presents the webtop with the link ot O365. Once i click on that, i am redirected to O365 page but with error:

       

      Additional technical information: Correlation ID: 90070909-f329-493f-875c-03a0a164ac91 Timestamp: 2017-01-06 21:33:33Z AADSTS50107: Requested federation realm object __'._mydomain_/idp/f5/' does not exist.**

       

      So i have these simple (sorry probably too simple):

       

      1) Shall i configure in the iApp ._mydomain_/idp/f5/ as Entity ID? 2) If I leave default.crt/.key as certificates will it work or do i need to explicitely create a self signed cert to send the assertions? 3) For Office 365 i understand I dont need to export any metadata as it is already included in the iApp, right? If I wanted to, where do I export it from? 4) do i need to configure Federation on AzurePortal? I saw some powershell command on DevCentral but not sure why and where should i enter that..

       

      Logs tells

       

      Jan 6 13:38:36 2funky notice apmd[6217]: 01490102:5: /Common/xx.app/xx:Common:7c042dd4: Access policy result: Full Jan 6 13:38:47 2funky notice tmm[11331]: 014d0002:5: 7c042dd4: SSOv2 BIG-IP as IdP (/Common/xx.app/xx_O365_saml_sso) sent SAML Response (size: 6572) to SP (/Common/saml_office365)

       

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Jan 04, 2017

    In order to federate users using APM, you actually need to have your own Active Directory environment and setup Azure AD Connect there to replicate your users to Azure AD, and only then you can setup federation. From your description above, it does not sound like you have your own Active Directory environment running....

     

    • 2funky_105078's avatar
      2funky_105078
      Icon for Cirrus rankCirrus
      Jan 06, 2017

      Thanks Michael. Indeed, i created my AD with my domain and installed AD connect, so that my Azure AD is constantly synced with my local AD. I could also log into O365 from MSFT login page. I did not configured the ADFS role.

       

      Then, I configured the iApp , where i put as Entity ID

       

      I connect to my VIP which authenticates me to my local AD and presents the webtop with the link ot O365. Once i click on that, i am redirected to O365 page but with error:

       

      Additional technical information: Correlation ID: 90070909-f329-493f-875c-03a0a164ac91 Timestamp: 2017-01-06 21:33:33Z AADSTS50107: Requested federation realm object __'._mydomain_/idp/f5/' does not exist.**

       

      So i have these simple (sorry probably too simple):

       

      1) Shall i configure in the iApp ._mydomain_/idp/f5/ as Entity ID? 2) If I leave default.crt/.key as certificates will it work or do i need to explicitely create a self signed cert to send the assertions? 3) For Office 365 i understand I dont need to export any metadata as it is already included in the iApp, right? If I wanted to, where do I export it from? 4) do i need to configure Federation on AzurePortal? I saw some powershell command on DevCentral but not sure why and where should i enter that..

       

      Logs tells

       

      Jan 6 13:38:36 2funky notice apmd[6217]: 01490102:5: /Common/xx.app/xx:Common:7c042dd4: Access policy result: Full Jan 6 13:38:47 2funky notice tmm[11331]: 014d0002:5: 7c042dd4: SSOv2 BIG-IP as IdP (/Common/xx.app/xx_O365_saml_sso) sent SAML Response (size: 6572) to SP (/Common/saml_office365)