multitenant custom active STS endpoint (that works with Office365) – partial mex/WSDL consumed by Office365


Below we see the endpoints that our mex endpoint for the active STS exposes to office365. This endpoint is duly read by Office365, before ws-trust requests are sent. Such requests are sent once a password-centric API library in such as Outlook or an app building upon the Exchange Managed API communicates with Office 365’s Exchange Online client access servers, delivering basic authentication credentials (over SSL). Office 365 turns around and sends, having located from the username’s email domain our tenant, a ws-trust request to our Active STS. The response is converted further by an Exchange-side STS from an identity assertion into an authorization token – suitable for passing the Exchange services’ API guards.

    <wsdl:service name="SecurityTokenService">
        <wsdl:port name="UserNameWSTrustBinding_IWSTrustFeb2005Async" binding="tns:UserNameWSTrustBinding_IWSTrustFeb2005Async">
          <soap12:address location="https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc" />
          <wsa10:EndpointReference>
            <wsa10:Address>https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc</wsa10:Address>
          </wsa10:EndpointReference>
        </wsdl:port>
        <wsdl:port name="UserNameWSTrustBinding_IWSTrustFeb2005Async1" binding="tns:UserNameWSTrustBinding_IWSTrustFeb2005Async">
          <soap12:address location="https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc/office365" />
          <wsa10:EndpointReference>
            <wsa10:Address>https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc/office365</wsa10:Address>
          </wsa10:EndpointReference>
        </wsdl:port>
        <wsdl:port name="UserNameWSTrustBinding_IWSTrust13Async" binding="tns:UserNameWSTrustBinding_IWSTrust13Async">
          <soap12:address location="https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc/13" />
          <wsa10:EndpointReference>
            <wsa10:Address>https://www.rapmls.info:44302/App_start/IssuerSTS/Issuer.svc/13</wsa10:Address>
          </wsa10:EndpointReference>
        </wsdl:port>
      </wsdl:service>

However, one may register a variant endpoint (presumably one that is prefixed by such as the registered endpoint address: http://…/App_start/IssuerSTS/Issuer.svc/office365


$msolcred = get-credential

connect-msolservice -credential $msolcred

$cert = "...="

Set-MsolDomainFederationSettings -DomainName rapmls.info -FederationBrandName "rapmls.info" 
-ActiveLogOnUri "https://www.rapmls.info:44302/App_Start/IssuerSTS/Issuer.svc/Office365/NETMAGIC/VCRD/11/COLC" 
-IssuerUri "urn:idp:www.rapmlsqa.info" -PassiveLogOnUri "https://www.rapmls.info:44302/v2/wsfederation/Default" 
-LogOffUri "https://www.rapmls.info:44302/v2/wsfederation/Default" 
-SigningCertificate $cert 
-MetadataExchangeUri "https://www.rapmls.info:44302/App_start/IssuerSTS/issuer.svc/mex"

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in coding theory. Bookmark the permalink.