For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Algebraic_Mirror's avatar
Algebraic_Mirror
Icon for Cirrostratus rankCirrostratus
Aug 07, 2015

I'm going to try to answer all of Kevin's questions at once, hopefully :).

 

I'm going to backup and try to better explain the overall scenario and what I am trying to do, rather than ask how to do a specific solution. (This is apparently how most multi-top-level-domains-in-Office365 scenarios work).

 

In this scenario, there is one overall Active Directory domain that everyone is a part of, with a single set of on-prem active directory domain controllers. However, this is a college, so while students and faculty technically are in the same AD domain, they each have different email domains (for example, @college.com for faculty and @email.college.com for students). Each of these two email domains is set up as a top level domain in Office365, and both are under the same Office365 tenant ID that the college owns.

 

When an SP initiated SAML assertion request comes in from O365, there is no way to distinguish which domain it is for. It uses the same issuer ID for every domain, and asks that we provide a SAML assertion. Despite not having a way to distinguish which domain this is for, we can easily look the user up in AD (again, it's the same AD infrastructure for them all, so we only have to search once, but even if it was multiple AD infrastructures we could still easily set up an APM policy where we search against several different AD AAA configurations in turn). Also, when we do the AD query, we can easily look up their mail attribute in AD, so it's very easy to tell which domain they are a part of at that time.

 

Here's where we start getting close to the problem. Microsoft requires different issuer IDs for each domain when you send your assertion back to Office365. It doesn't matter what issuer IDs are (you can arbitrarily set them in Office 365), but they must be unique. Example: for the first domain we might want to send an issuerID of and other could be https://email.college.com. So the open ended question is this: how do I at runtime send assertions with different issuer IDs to Office365 when both domains are using the same virtual server/access policy as the IDP?

 

Solutions I've tried: What I tried to do first was set up two different IDP configurations, each with a different issuer ID, but otherwise the same. The problem is that those have to be bound to two different external SP configurations, distinguishable by IssuerID. In this case I basically only have one external SP, and it is exactly the same for both of them. (This is why my original question was focused on asking how I can switch between IDP configurations based on something other than having the IssuerID match an external SP provider)

 

My second idea was to have just one IDP configuration with one IssuerID, but try to use an iRule to change it at response time. (This is basically how ADFS works with their "SupportMultipleDomain" switch and additional claims rules: the rules use regexes to take domain from the user's UPN or mail address and insert it into the issuer ID - a really good article showing exactly how this is accomplished technically is at http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx). But, I couldn't find any SAML iRule hooks that would let me do that, and anyway any hook would have to be before the assertion was signed to avoid invalidating it.

 

So I'm still at my original question, which is basically how to change which issuer ID I send Office365 at runtime, based on the user's UPN/mail domain.