locked
Office 365 SSO RRS feed

  • Question

  • I have configured Office 365 SSO with out on-premise. For the most part, it is working great, however I have a handful of users that are unable to log into the portal or to activesync.

    Here is the token status of a user that is not able to log in:

    SAML Token:
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_96641ce7-6494-43e4-99c5-4e9968e88674" Issuer="http://adfs.redacted.com/adfs/services/trust" IssueInstant="2017-07-20T18:10:15.578Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2017-07-20T18:10:15.575Z" NotOnOrAfter="2017-07-20T19:10:15.575Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2017-07-20T18:10:15.574Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_96641ce7-6494-43e4-99c5-4e9968e88674"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>jH57i33fhnksw/qwM42xvIp17TIDDEPSCDKj/1DJ1cs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FYdBf7uFu3YqKFVcg8VzoADbRql2vqdww9SLFekHai5+bYj+ZagTpUu3v0QMsuSoZFqYgQLfTCd0MykGGDwkFnd8EX/CEMsMczAayw1YbXqNtgbU7ie6kT8Uclj6mS2W1ni2raNoFsFUqNFvzhdAlHItz/MHBGhJw8d9tOEqYO+bxLPp4p4H3cXybZbAbP/NgQI6SiGKHgKmoj/dVs/C7b/2nK414Bo/z6GB9OueR5B/HZXhU33p20Xa25tM2oobHjawnpt66XFsNaEChnYaFoLG3BtlZtWxZYLB/5ycx+niNP97O08+xO6B2B30Y8s1szlec0ct94HGKgT/PJROXg==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC3DCCAcSgAwIBAgIQXptF23N4z4pAtyek+P/k6zANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLnBpbmRlcnMuY29tMB4XDTE3MDcxNDE1NTkwOVoXDTE4MDcxNDE1NTkwOVowKjEoMCYGA1UEAxMfQURGUyBTaWduaW5nIC0gYWRmcy5waW5kZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBEoamFTD3fESh+K28SD7qo1wZIsF+gyDIHUUh5ZV85huDvCqam4LAPtBkPUXMTTKfLB/pZmeCPorJEU0N2+/E5JFfxd7fQ7FRvaCUNk+/1zNzJXDJ5O7M9D4xLPy+0m8iEMupeDZ2k9YsE/IItBhYli/r1OBwhTIwM601ilt3gmKOhDjWGi64Xh2wiPsrW6LkcTpRMi7dMq301otVITZNyxEk9OgMoZ0AY0plOs3BRm4PVWDg5g/qSwlaE0OB4ug6AwnR/q5HIeEbdCViqPrUNrpPyXEw+dbpxU4RXJnRa+nJM6eW8nn4Ytvdp2QgqmEUO8cftuXFcSX2s5SlYoj0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHXQp6CKqHdDRwCTbV6oQdV31hKoK9x6TQEmer3gqtWj4eI4twtOrD1ECxDywPzIpydT6x3z+DqthvaCNfvQ08uBtrT9JpuvkNCwwi1XlYj0Z6K+BbFC4+lxd9W1CdhUKnVTN5RrmOvTst9206sHTkKg6M0v593MZB/+nJjiGAAQVzsHtbp4gXLa9jHx8ARALMaBdiCe4SejgWGwniLB5iE7q7a2XMMzQ9yYHOMzNhF9GcQ30I85KfnNixoeITG1tXDlf6rQlwvbI/IpoR0efXVxO7tF4XxXo+mmYNyTiXrr7HgzECx2l0TjbmJCDlvc5gwLKvSRHeT84Vhc5MBBkCw==</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion>
    HTTP Response Headers:
    Content-Length: 5357
    Content-Type: application/soap+xml; charset=utf-8
    Date: Thu, 20 Jul 2017 18:10:15 GMT
    Server: Microsoft-HTTPAPI/2.0
    Elapsed Time: 137 ms.


    And here is the status from a user that is working:

    SAML Token:
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_2d183fe3-0921-4997-9292-23ee4074aa6a" Issuer="http://adfs.redacted.com/adfs/services/trust" IssueInstant="2017-07-20T15:59:32.343Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2017-07-20T15:59:32.340Z" NotOnOrAfter="2017-07-20T16:59:32.340Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lq/VgPs6U0WhWS4UhXN/aw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>Rich.Monroe@redacted.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05"><saml:AttributeValue>lq/VgPs6U0WhWS4UhXN/aw==</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2017-07-20T15:59:32.339Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lq/VgPs6U0WhWS4UhXN/aw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_2d183fe3-0921-4997-9292-23ee4074aa6a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>PQcg81RwLMD9t8Dwl361CtzFum4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>U0KuqCCT9GDc2O7BnHGgDRGrIrdCYBYparrkmXjkX638fao8yHWrN0FwjK/RF3m319G/EqZNHhqvk3/5eIULYffWbJlp1TaZbDDc5MSR1IjhKf2KWWAj4lhdkrN2nt1dT/YXVSBCi6XmbarUOkmW37eFLwdHJPLZKI+PVjjMp681E7OGXL7BIVStNMFJXX/rx/tgBO8FMOS1xHU476Pgjkx7JZf6ez1TCUC4X3ta7dI7U381liJAOTz0YMPurmSVeUbpBRxQeF3WYaqZd+cCR8qPOpqtBL7sbEzQCRr8+CpjJevQDrEjbZWvDyPc8CX7kKULeQWjhV77NneKjc60QQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC3DCCAcSgAwIBAgIQXptF23N4z4pAtyek+P/k6zANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLnBpbmRlcnMuY29tMB4XDTE3MDcxNDE1NTkwOVoXDTE4MDcxNDE1NTkwOVowKjEoMCYGA1UEAxMfQURGUyBTaWduaW5nIC0gYWRmcy5waW5kZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBEoamFTD3fESh+K28SD7qo1wZIsF+gyDIHUUh5ZV85huDvCqam4LAPtBkPUXMTTKfLB/pZmeCPorJEU0N2+/E5JFfxd7fQ7FRvaCUNk+/1zNzJXDJ5O7M9D4xLPy+0m8iEMupeDZ2k9YsE/IItBhYli/r1OBwhTIwM601ilt3gmKOhDjWGi64Xh2wiPsrW6LkcTpRMi7dMq301otVITZNyxEk9OgMoZ0AY0plOs3BRm4PVWDg5g/qSwlaE0OB4ug6AwnR/q5HIeEbdCViqPrUNrpPyXEw+dbpxU4RXJnRa+nJM6eW8nn4Ytvdp2QgqmEUO8cftuXFcSX2s5SlYoj0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHXQp6CKqHdDRwCTbV6oQdV31hKoK9x6TQEmer3gqtWj4eI4twtOrD1ECxDywPzIpydT6x3z+DqthvaCNfvQ08uBtrT9JpuvkNCwwi1XlYj0Z6K+BbFC4+lxd9W1CdhUKnVTN5RrmOvTst9206sHTkKg6M0v593MZB/+nJjiGAAQVzsHtbp4gXLa9jHx8ARALMaBdiCe4SejgWGwniLB5iE7q7a2XMMzQ9yYHOMzNhF9GcQ30I85KfnNixoeITG1tXDlf6rQlwvbI/IpoR0efXVxO7tF4XxXo+mmYNyTiXrr7HgzECx2l0TjbmJCDlvc5gwLKvSRHeT84Vhc5MBBkCw==</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion>
    HTTP Response Headers:
    Content-Length: 6192
    Content-Type: application/soap+xml; charset=utf-8
    Date: Thu, 20 Jul 2017 15:59:31 GMT
    Server: Microsoft-HTTPAPI/2.0
    Elapsed Time: 133 ms.

    The user that is not working seems to be missing the NameIdentifier attribute highlighted above. How can I get this resolved? its only 5 out of 40 users that are affected. 

    Thanks in advanced.


    • Edited by sburkitt Thursday, July 20, 2017 6:42 PM Grammar Edit
    Thursday, July 20, 2017 6:20 PM

All replies

  • objectGUID is passed in the nameID, this is strange if it is missing for few users. Are you using ADFS? I see trust type is SAML. Are your users located in on premise Active directory or other stores?

    Saturday, July 22, 2017 11:03 AM
  • Well the NameID has whatever is set on the Issuance Rules of the relying party trust. Not necessarily the objectGUID (although it would make sense to use this one as it doesn't change for a user).

    Can you tell us more about the Issuance Transformation Rules you have set on the Relying Party trust?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 24, 2017 7:39 PM