[prev in list] [next in list] [prev in thread] [next in thread]
List: wsas-java-dev
Subject: [Dev] Office365 Federation for Dual Domain with WSO2 Identity Server
From: Dewni Weeraman <dewni () wso2 ! com>
Date: 2019-07-31 11:27:27
Message-ID: CALLpvaZsemf5QhTS3GBvyRF2jJw7gDAKUoa4gmF7c7tVvPrP2w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi All,
Currently, I am working on the $subject. Please find the detailed
description of the tasks below.
Step 01 - Configuring of WSO2 IS to handle Office 365 with single domain.
Step 02 - Testing out how WSO2 IS can handle Office 365 Federation with
multiple domains in multiple IS instances (a single IS instance dedicated
to a single domain).
Step 03 - Integrating IS to tackle the issue of Office 365 federation for
dual domain in a single IS tenant instance.
Step 01 and Step 02 has been completed. Please find [1] and [2] for the
instructions on how to carry out Step 01.
While carrying out Step 02, following limitations were identified.
1. Two domains in Office 365 use the same Service Provider entity id (SP
issuer name).
In IS two domains are represented as two service providers. Each service
provider (in the same tenant instance) should have unique issuer name.
2. Office 365 requires to have a unique IDP entity ID for each domain.
In IS the same IDP entity ID is utilized for all service providers
available in a given tenant.
Therefore by considering the aforementioned points, the current solution to
tackle with $subject is to have a IS tenant configured per domain. However
in a requirement where this needs to be done in a single IS instance, the
current release of WSO2 IS doesn't have support for this.
As Step 03 we will be introducing two new attributes for SAML inbound
authentication configurations when creating a Service Provider.
- Service Provider Qualifier - The value defined here will be appended
to the end of the "Issuer" value when registering the SAML SP in the
Identity Server. This allows to configure multiple SAML SSO inbound
authentication configurations for the same "Issuer" value.
- IdP Entity ID Alias - "Identity Provider Entity ID" specified under
SAML SSO Inbound Authentication configuration in "Resident IdP" can be
overridden with this value.
The PRs for this is available at [3] and [4]. I'll be working on resolving
the merge conflicts.
[1]
https://medium.com/@dewni.matheesha/office365-configurations-with-wso2-identity-server-for-saml2-authentication-d234cb333293
[2]
https://medium.com/@dewni.matheesha/user-provisioning-to-azure-ad-from-wso2-identity-server-bf7f89d30c5
[3] https://github.com/wso2-extensions/identity-inbound-auth-saml/pull/201
[4] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/994
Thanks & Regards,
Dewni
--
Dewni Weeraman | Software Engineer | WSO2 Inc.
(m) +94 077 2979049 | (e) dewni@wso2.com <nipunib@wso2.com>
<http://wso2.com/signature>
[Attachment #5 (text/html)]
<div dir="ltr">Hi All,<br><br>Currently, I am working on the $subject. Please find \
the detailed description of the tasks below.<div><br></div><div>Step 01 - Configuring \
of WSO2 IS to handle Office 365 with single domain.</div><div>Step 02 - Testing out \
how WSO2 IS can handle Office 365 Federation with multiple domains in multiple IS \
instances (a single IS instance dedicated to a single domain).</div><div>Step 03 - \
Integrating IS to tackle the issue of Office 365 federation for dual domain in a \
single IS tenant instance.</div><div><br></div><div>Step 01 and Step 02 has been \
completed. Please find [1] and [2] for the instructions on how to carry out Step \
01.</div><div><br></div><div> While carrying out Step 02, following limitations were \
identified.</div><div><br></div><div>1. Two domains in Office 365 use the same \
Service Provider entity id (SP issuer name).</div><div><blockquote style="margin:0 0 \
0 40px;border:none;padding:0px"><div>In IS two domains are represented as two service \
providers. Each service provider (in the same tenant instance) should have unique \
issuer name.</div></blockquote>2. Office 365 requires to have a unique IDP entity ID \
for each domain.</div><div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px">In IS the same IDP entity ID is utilized for all \
service providers available in a given tenant.<br><br></blockquote>Therefore by \
considering the aforementioned points, the current solution to tackle with $subject \
is to have a IS tenant configured per domain. However in a requirement where this \
needs to be done in a single IS instance, the current release of WSO2 IS doesn't have \
support for this.<br></div><div><br></div><div>As Step 03 we will be introducing two \
new attributes for SAML inbound authentication configurations when creating a Service \
Provider.</div><div><ul><li>Service Provider Qualifier - The value defined here will \
be appended to the end of the "Issuer" value when registering the SAML SP in the \
Identity Server. This allows to configure multiple SAML SSO inbound authentication \
configurations for the same "Issuer" value.</li></ul><ul><li>IdP Entity ID Alias - \
"Identity Provider Entity ID" specified under SAML SSO Inbound Authentication \
configuration in "Resident IdP" can be overridden with this value.</li></ul><div>The \
PRs for this is available at [3] and [4]. I'll be working on resolving the merge \
conflicts.</div></div><div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px"><br></blockquote></div><div>[1] <a \
href="https://medium.com/@dewni.matheesha/office365-configurations-with-wso2-identity- \
server-for-saml2-authentication-d234cb333293">https://medium.com/@dewni.matheesha/offi \
ce365-configurations-with-wso2-identity-server-for-saml2-authentication-d234cb333293</a></div><div>[2] \
<a href="https://medium.com/@dewni.matheesha/user-provisioning-to-azure-ad-from-wso2-i \
dentity-server-bf7f89d30c5">https://medium.com/@dewni.matheesha/user-provisioning-to-azure-ad-from-wso2-identity-server-bf7f89d30c5<br></a></div><div>[3] \
<a href="https://github.com/wso2-extensions/identity-inbound-auth-saml/pull/201">https \
://github.com/wso2-extensions/identity-inbound-auth-saml/pull/201</a><br></div><div>[4] \
<a href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/994">http \
s://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/994</a></div><div><br></div><div>Thanks \
& Regards,</div><div>Dewni</div><div>-- <br><div dir="ltr" \
class="m_5955380894637900200gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><font color="#000000">Dewni Weeraman | Software Engineer | WSO2 \
Inc.</font><div><font color="#000000">(m) +94 077 2979049 | (e) dewni<a \
href="mailto:nipunib@wso2.com" \
target="_blank">@wso2.com</a></font></div><div><br></div><div><a \
href="http://wso2.com/signature" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png"></a><br></div><div \
style="color:rgb(136,136,136)"><br></div><div \
style="color:rgb(136,136,136)"><br></div></div></div></div></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic