Forum Discussion
NimbostratusSharepoint Online persistent SSO with APM SAML
Hi all,
We have an APM configuration working successfully with SAML SSO to Office365.
What we'd like to do now is work out whether we can manipulate the timeout settings for users hitting Sharepoint Online. Microsoft have an online article at https://technet.microsoft.com/en-us/library/mt148493(v=ws.11).aspx for doing this with ADFS, but I believe that ADFS uses WS-Fed and not SAML and therefore we don't know if there is an equivalent SAML attribute to pass through to Sharepoint Online to achieve the same thing.
Has anyone done this before and able to advise whether such an attribute exists?
6 Replies
Michael_KoyfmanCirrocumulus
So, I looked at the article and further PSSO definition, and I don't quite fully understand exactly how it works yet - but I am guessing that if ADFS sets PSSO cookie and sends that claim to Azure AD, then Azure AD will be sending persistent cookies for Sharepoint Online to the browser. Do you know if that is the case?
MiLK_MaNNo idea. We were on a call with Microsoft, but unfortunately they only knew how to configure the ADFS portion and had no idea what transpires at a protocol level.
One of my colleagues did find this information which looks promising though:
' target="_blank" rel="nofollow">http://schemas.microsoft.com/2014/03/psso">; true
Dug around looking to convert MS Claims to SAML; found a bunch of stuff but this was most interesting.
The customer is not keen for us to be experimenting in their environment, so would be great to get some information whether this would be the solution to their issue and whether anything needs to be done on the Azure side of things.
- Michael_Koyfman
Yes, the problem is that it's from WS-Trust format. Normally, AzureAD is consuming a SAML 1.1 payload wrapped in WS-Trust wrapper, ultimately this is called WS-Fed. :)
So, I've tried to send similar attributes to them via SAML 2.0, and they are getting ignored and persistent SSO does not seem to happen. We need to find out from Microsoft whether they are capable of ingesting any SAML attributes when federating using logon using SAML instead of WS-Fed.
Michael_Koyfma1Cirrus
So, I looked at the article and further PSSO definition, and I don't quite fully understand exactly how it works yet - but I am guessing that if ADFS sets PSSO cookie and sends that claim to Azure AD, then Azure AD will be sending persistent cookies for Sharepoint Online to the browser. Do you know if that is the case?
- MiLK_MaN
No idea. We were on a call with Microsoft, but unfortunately they only knew how to configure the ADFS portion and had no idea what transpires at a protocol level.
One of my colleagues did find this information which looks promising though:
' target="_blank" rel="nofollow">http://schemas.microsoft.com/2014/03/psso">; true
Dug around looking to convert MS Claims to SAML; found a bunch of stuff but this was most interesting.
The customer is not keen for us to be experimenting in their environment, so would be great to get some information whether this would be the solution to their issue and whether anything needs to be done on the Azure side of things.
- Michael_Koyfma1
Yes, the problem is that it's from WS-Trust format. Normally, AzureAD is consuming a SAML 1.1 payload wrapped in WS-Trust wrapper, ultimately this is called WS-Fed. :)
So, I've tried to send similar attributes to them via SAML 2.0, and they are getting ignored and persistent SSO does not seem to happen. We need to find out from Microsoft whether they are capable of ingesting any SAML attributes when federating using logon using SAML instead of WS-Fed.
