Introduction

This cool solution is about IDP initiated SSO and SLO with Office 365 cloud service. This also explains how to customize the login process customization.

Setup Details

Prerequisite: NAM 4.0.1 and above

IDP initiated SSO to Office 365

  1. Capture browser trace for office 365 login
  2. Note the login request made to NAM by Office 365
  3. Example:
    https://www.netiq.info/nidp/wsfed/ep?cbcxt=&popupui=&vv=&mkt=&lc=1033&wfresh=&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%3Dwsignin1%252E0%26rpsnv%3D3%26ct%3D1406737808%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fnetiq%252Dmy%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault%252Easpx%26lc%3D1033%26id%3D500046%26%26bk%3D1406737809%26LoginOptions%3D3 
  4. Landing page at office 365 is included in request netiq-my.sharepoint.com (URL encoded) in this example sharepoint is landing page.
  5. This this URL as IDP initiated sso to office 365

IDP initiated SLO to Office 365

  1. Create custom jsp file “namO365Logout.jsp” and add IFrame and give URL of office 365 singout url and javascript timeout function to load window with NAM logout(example jsp added below configuration steps)
  2. Copy this jsp to IDP /opt/novell/nam/idp/webapp/nidp/jsp folder and give proper permissions
  3. Backup IDP web.xml and modify web.xml of nidp (/op/novell/nam/idp/webapp/nidp/WEB-INF/web.xml) under nidpJspFilter modify publicAccess parameter value add namO365Logout.jsp
  4. Example:
    <param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;namO365Logout.jsp</param-value> 
  5. Restart IDP /etc/init.d/novell-idp restart
  6. Access Admin Console and go to wsfederation tab
  7. Select office 365 SP and go to metadata tab
  8. Edit metdata SLO url to “http(s)://<<IDP domain>>/nidp/jsp/namO365Logout.jsp”
  9. Click Ok
  10. If you get alert certificate required, follow below steps
    1. Go to certificate section and download testsigning cert in der format
    2. Follow “f to h” steps above and select downloaded cert in that wsfederation metadata edit section
  11. Update IDP
  12. Test it.

Example namO365Logout.jsp:

=================================namO365Logout.jsp===================================
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@ page import="com.novell.nidp.*" %>
<%@ page import="com.novell.nidp.servlets.*" %>
<%@ page import="com.novell.nidp.resource.*" %>
<%@ page import="com.novell.nidp.resource.jsp.*" %>
<%@ page import="com.novell.nidp.ui.*" %>
<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>

<%
UIHandler uh = new UIHandler(request,response);
%>
<html lang="<%=uh.getLanguageCode()%>">
    <head>
        <link href="<%= uh.getImage("hf_style.css",false)%>" rel="stylesheet">
	    <style type="text/css" media="screen"><!--
		body  { background-color: <%=uh.getBGColor()%> }
	  --></style>

	<script language="javascript">
		function doitlater()
		{
			window.location="/nidp/app/plogout";
		}
		setTimeout(doitlater,5000);
	</script>
	</head>
<%@ include file="logoutHeader.jsp" %> 
<body marginwidth="0" marginheight="0" leftmargin="10" topmargin="0">

        <div class="head3b"><%=uh.getResource(JSPResDesc.LOGOUT)%></div>		
	    <table border=0>
	        <tr>
	            <td>Session logout is in progress, Please wait for logout confirmation.</td>
 	        </tr>
			</table>
<iframe src="https://login.microsoftonline.com/login.srf?wa=wsignoutcleanup1.0" width="0" height="0" border="0"></iframe>  
</body>
</html>

Login process customization:

Username get filled with customization:

  1. Open the login.jsp at IDP (/opt/novell/nam/idp/webapps/nidp/jsp/login.jsp)
  2. Look for below statement
    if(proxyReq instanceof WSFedAuthnRequest)
    	    	uname = ((WSFedAuthnRequest)proxyReq).getParameter("username");
  3. Uname is Username in email format sent by office 365, This value can be substring to show only username not email
  4. Or nullify to show empty username input box

Execute specific contract:

  1. Open the login.jsp at IDP (/opt/novell/nam/idp/webapps/nidp/jsp/login.jsp)
  2. Look for below statement
    if(proxyReq instanceof WSFedAuthnRequest)
    	    	uname = ((WSFedAuthnRequest)proxyReq).getParameter("username");
  3. Get Realm information from wsfed request ((WSFedAuthnRequest)proxyReq).getRealm() and check for Office 365 uri, if matches redirect to http(s)://<<IDPdomain>>/nidp/app?id=<<contractid>>&<<QueryString with request came to login.jsp>>

Alternatively,

  1. Add new JSP – this will redirect to “/nidp/wsfed/ep?id=<<contractID>>&<QueryString with request came to this jsp>>”
  2. Copy this jsp to IDP /opt/novell/nam/idp/webapp/nidp/jsp folder and give proper permissions
  3. Backup IDP web.xml and modify web.xml of nidp (/op/novell/nam/idp/webapp/nidp/WEB-INF/web.xml) under nidpJspFilter modify publicAccess parameter value add this jsp. How to do this refer to above section “IDP initiated SLO” step c, d
  4. Modify office 365 trust settings, use this jsp as sso endpoint of NAM http(s)://<<IDP domain>>/nidp/jsp/<<new jsp>>

Multi domains for SSO:

Child domains work seamlessly once parent domain is used for federation settings. Add child domain to office 365, SSO works seamlessly.
If top level domains need to be sso, create one more IDP cluster and use that as nam federation end point for top level domain

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

One Comment

  • nsanson says:

    One month ago NETIQ support gave us a part of your solution as workaround.

    I just want add some information about this step

    Edit metdata SLO url to “http(s)://<>/nidp/jsp/namO365Logout.jsp”

    is not always possible. The administration console (4.0.1) don’t let you to edit the metadata if you don’t put a signing certificate. The only way to modify it is tampering the original iManager js check about the presence of a Signing certificate. Since Office365 doesn’t sign the requests, this is what we had to do

By: cstumula
Aug 7, 2014
12:18 pm
Reads:
1,799
Score:
5