acs as IDP for AAD


$msolcred = Get-Credential -UserName admin@netmagic.onmicrosoft.com
Connect-MsolService -Credential $msolcred -ErrorAction Stop


$aActiveLogOnUri = "https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex"
$aFederationBrandName = "ACS based IDP"
$aIssuerUri = "https://bariazuressoowin.accesscontrol.windows.net/"
$aLogOffUri = "https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation"
$aMetadataExchangeUri = "https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex"
$aPassiveLogOnUri = "https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation"
$cert = "MIIDIjCCAgqgAwIBAgIQG8Y1pitN0I9Hg7Gwl63a0DANBgkqhkiG9w0BAQUFADA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTUwNjI5MTgyNzM3WhcNMTYwNjI5MDAyNzM3WjA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPzV7RD10okSKHFHzyMNwuBUt4bbvmxjLAKg/M3QVYe4GhX7o9qSY3ogMyUaxnvhN4z400cOaS0iQ+yZUWV3HwQLqU3an6YMfVYMDnftwICjBUD1HoxWXMUYFU88YwC1KLGO+BpPJSeHcnu7Ok2KtO1DyBU+uZbi/TzpFWTzD/izg+XLQDx7dkFWQ9A0UIauRWx+WRClPbvgpZVIcOQw5A2hQW20PlStWxwKMhJpWrL8cD61c8q2LBZgga7bJIL5Kst4WHpNrKVsjJglSOdSp+R/8bWGY6kyxuKJbRyKjH7/iXkpNayTISIIl95ROj5F3jOgS50/PZk4E9u424PoofAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUdAPniEsbJ+dJjR7QkvaUx+NgoLswDQYJKoZIhvcNAQEFBQADggEBALG5yhJ3+D7mzj8UApPKp6lMbepaDYcFcYLZuejogtYZo/I9gmIPfaeKoXUkSIqHsfxNIsR8EnyzL3pkRkrpuHmQJ4FmttnLAm2fvZYTeDyg/U4J9ncBcSzR6thZLROjOZte+jIFNfihqi5oRVI5c+XETcfoECjKWM6xvwzTfY/A51yjRWkoEW5YB9pCuvLYmV2Y2QELzZuGjqlc2DCw1yzXz8tmmf3WszZgfEyuzAgIPAL1vVt8UPREsr8TSP4VAtvHC7s5s+3kE+dTzEygAbgMC2ee0uBZUX4hyMUOkIsvPrP6BnmRgsGKk0Z/aVVTh1lndVROEepiOtGFGHuEsDU="

Set-MsolDomainAuthentication -Authentication federated  -DomainName metrolistmlsqa.com -FederationBrandName $aFederationBrandName -ActiveLogOnUri $newuri -IssuerUri $aIssuerUri -PassiveLogOnUri $aLogOffUri -LogOffUri $aLogOffUri -SigningCertificate $cert  -MetadataExchangeUri $aMetadataExchangeUri

 

at office.com we try

image

gives

image

 

when we configure the RP in ACS (to assert to AAD, the ws-federation FP), we see

image

urn:federation:MicrosoftOnline

https://login.microsoftonline.com/login.srf

 

 

if we use a classical AAD RP, https://graph.windows.net, we see

image

image

 

so we add fixed claims (in ACS claims transform), for UPN and immutableID:

 

image

rapstaff@metrolistmlsqa.com http://schemas.xmlsoap.org/claims/UPN

and

image

http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

ZjlmOWQxNzYtZjU3NS0xOWFjLTkxOTQtYTlmMmNhZWM2ZWM0

and we ignore the original google nameid value:

image

 

Eventually, we get to logon to an AAD app (via google, via ACS!)

image

image

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in AAD. Bookmark the permalink.