We download older Windows SAML code from packtpub.com, trying to go back in time and think how Microsoft though about topics BEFORE the WSE2/3 and WIF era. The assumption is we will closer to Win32 and the TCB. We look at a simple tester program, Chapter one, unit 2, which we amend so the form is more like what Office 365’s Federation Gateway will expect and demand.
First, make a signing-capable cert – but amend the instructions a little (to update the maximum expiry date!)
one amends the descriptor structure for the assertion to add the desired attributes an the authentication statement:
We get the assertion as desired, though its signed (in this program). Of course, Office probably doesn’t want a signed assertion. It wants a signed ws-fedp result message (bearing the signed/unsigned SAML assertion)
But, we have got closed to the “raw machine”.
If we compare this to the output of Ping Federate IDP (acting as a Proxy IDP to our Realty IDP), where Ping Federate is itself a proxy IDP to the MicrosoftOnline IDP … invoked by the Office Federation Gateway (itself invoked by Exchange ONline SP!)…
we see that we are missing the audience controls and fail to carry the certificate. And obviously, we are as yet missing the outer ws-fedp tags.
SO lets fix the obvious stuff.
To add the audience conditions and set the nameformat proeprty on the UPN as nameidentifier:
thanks to http://stackoverflow.com/questions/1348947/audiencerestriction-in-saml-assertion we added:
To add the certificate to the signing block:
thanks to http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/9a2c881c-5094-40be-a650-1fe27fe465fc we changed the keyIdentifier to the X509Raw type: