Collaboration SSO

After configuring SSO in our internal Collaboration-environment, a few things to remember;

Cross-check time-sync (!!!). It costed me quite some time in troubleshooting when expecting that the AD was synchronized. Don’t do that. Seriously.

Be careful with the Claim Rules. The documentation may be misleading in terms of the namequalifier, probably due to versioning differences between ADFS 2 and 3.

Claim Rules should consist of the following;
1.) Send LDAP Attributes as Claims, store Active Directory and map SAM-Account-Name to uid.
2.) Send Claims Using a Custom Rule, paste the following;

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "Note1*", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "Note2*");

Note1) EntityID of the ADFS (pull from entityID in FederationMetaData.xml, i.e. http://fqdn/adfs/services/trust for ADFS 3.0)
Note2) EntityID of the Collaboration-host (pull from entityID in SPMetadata_fqdn.xml, i.e. fqdn)
…also, be careful with linebreaks when copying the custom rule, it should just be one line.

If needed to debug, the option to modify log-level for SAML is missing in CCMService. Use CLI-command to change level;

admin:set samltrace level DEBUG

Thanks to CSCul45929 for pointing this out.

Next step will be to convince our Netscaler to become an ADFS-proxy and deploy this to the Expressway as well. 🙂