Forum Discussion
JBlogs_314812
Nimbostratus
NimbostratusOffice 365 SAML token rejection
I have configured the Office 365 SAML iApp for authentication, and to all intents and purposes it looks as though APM is successfully authenticating a user and issuing a token. However when the token is submitted to Office 365 I receive the response:
Sorry but we're having trouble signing you in. We've received a bad response.
AADSTS50000 there was an error issuing a token.
I'm using a URI as an identified as opposed to a URN. I've investigated as much as I can (but by no means and expert) confirming certificate thumbprints are uploaded to O365, time is in sync. I have dug into the http requests with Fiddler. I can see the SAML request and response. I see it submitted in the header to O365. Verified users are synchronised to Azure AD. Furthermore I've checked for additional proceeding slashes in the configuration between APM & O365.
Really struggling to understand the problem. Any suggestions/ help would be greatly appreciated.
kunjanWhat is the value configured for 'Assertion Subject Value*:' on APM. ? May want to verify with MS on this value.
Sergi_Munyoz_24Not sure if can help you but, I found an error that a slash was needed at the end of entity ID That's: https://idp.xxx.com gave me errors while https://idp.xxx.com/ works perfect
- kunjan
Okay, so that should be something required by O365? Any concern in configuring with a ending slash?
- Sergi_Munyoz_24
I did find this issue with O365, not with other SP's I have configured Also, as SP number grew, I had problems ending entityID in a URI like /idp/ or similar (can't remember why at this moment, maybe I was doing something wrong), so finally ended setting up every idp service with entityID as https://idp.xxx.com/
- Sergi_Munyoz_24
Also you must call an iRule to encode attribute to b64. Let me know if you don't have the code
- kunjan
The DG does indicate this ending slash url https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf for the entity id. So that could be a known format.
JBlogs_314812Thanks for the comments. I have this working now, it was an issue with the encode irule, more specifically the AD query wasn't returning the attributes needed for the irule. Worth noting, I don't have a trailing slash, but both APM & o365 configurations match. Thanks for the help.
- Sergi_Munyoz_24
Maybe if entityID includes an uri like /idp this problem does not come out. Do you have it ? But we had https://idp.xxx.com at both places and until we added the slash it didn't work
chrisbarr2017_3I had the same issue... missing objectGUID