Thanks for taking the time to post this Andy. I’m watching with interest. Is your Azure AD local or ‘in the cloud’?

 

Alistair

 

 

-- 

mov eax,1
mov ebx,0
int 80h

 

 

From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of "Andy Swiffin (Staff)" <[log in to unmask]>
Reply-To: Discussion list for Shibboleth developments <[log in to unmask]>
Date: Tuesday, 30 May 2017 at 09:52
To: "[log in to unmask]" <[log in to unmask]>
Subject: Re: Shibboleth and the Azure IdP

 

I’m going to be very sad and reply to my own email.   I  want to give an update on where we’re now at.

 

We managed to get a shibboleth SP authenticating against Azure AD and receiving attributes.  But we were stumped as to how to modify the attribute flow but there was no “Attributes” tab as we had seen on certain documentation.   So we opened a support call and had a very useful chat with someone who directed us to the new portal and a different way to create our app.

 

We were using the old manage.windowsazure portal as this is the route that the other applications (our Service Desk, Topdesk) had used.  With this you get an application with no Attributes tab and a “Manifest” you download and modify for certain things.

 

We were directed  to portal.azure.com and there you pick Azure AD->Enterprise applications->New application    and there you end up with an application that looks very different and has the attribute tab – even if you look at it with manage.windowsazure,  they both create what claim to be “web applications” but look very different, we’re still trying to get our heads around this.  We’re at a very early stage in experimenting and maybe missing the obvious, but it’s all very confusing!

 

The bottom line is we can now get assertions that contain things like:

 

      <Attribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">

        <AttributeValue>[log in to unmask]</AttributeValue>

      </Attribute>

 

Or

 

      <Attribute Name=" urn:oid:1.3.6.1.4.1.5923.1.1.1.6">

        <AttributeValue>[log in to unmask]</AttributeValue>

      </Attribute>

 

Which the SP is quite happy with,   we’re waiting on another chat to see how we could do multivalued things like eduPersonScopedAffiliation.

 

Cheers

Andy

 

 

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Andy Swiffin (Staff)
Sent: 18 May 2017 14:55
To: [log in to unmask]
Subject: Shibboleth and the Azure IdP

 

Hi,

 

Back last year we moved our Office 365 authentication out to the cloud and do it directly against Azure AD.   Since then we’ve setup our new service desk, TopDesk, to authenticate there and were surprised to see how familiar the environment was for someone coming from a Shibboleth background.  We’re working on another system currently and wondered whether we could do the same with a Shib SP.

 

To cut a long story short we tried that yesterday and found it worked just fine.  We have it authenticating and receiving the limited set of attributes that are being released.

 

I was wondering,  has anyone else tried this path, I’d like to share notes?   We’re particularly interested in anyone who has customised the attribute release.   While we’ve found some documentation on this, none of the screens match up with reality!

 

We currently have Blackboard and SITS eVision authenticating through Shibboleth and would plan to move those over to Azure AD.

 

Cheers

Andy Swiffin

Dundee

 


The University of Dundee is a registered Scottish Charity, No: SC015096


The University of Dundee is a registered Scottish Charity, No: SC015096