Testing Active Profile SSO to Office 365 without a configured account -

There is in fact an easy way to simulate Office 365 because it uses WS-Trust for active profile clients like Outlook using Exchange Online. We use cURL, which is a free client-side UTL transfer library that supports HTTPS for a WS-Trust SOAP service requests. See the cURL website for more details on the command line capability and how you can download and install.

We create a text file named UAT to represent the username token request sent from Office 365 to a federation server (e.g. PingFederate). For simplicity, the text file contains a cleartext username and password (lines 16 and 17), which should be modified as necessary. It is also worth paying attention to time tags in the message body (lines 20 and 21).

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="https://www.w3.org/2003/05/soap-envelope" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsa="https://www.w3.org/2005/08/addressing" xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssc="https://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsse="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="https://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <wsa:Action s:mustUnderstand="1">https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
    <wsa:To s:mustUnderstand="1">https://sts.qa.glic.com/idp/sts.wst</wsa:To>
    <wsa:MessageID>1215501832</wsa:MessageID>
    <ps:AuthInfo xmlns:ps="https://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
      <ps:HostingApp>Lync Mobile</ps:HostingApp>
      <ps:BinaryVersion>6</ps:BinaryVersion>
      <ps:UIVersion>1</ps:UIVersion>
      <ps:Cookies />
      <ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
    </ps:AuthInfo>
    <wsse:Security>
      <wsse:UsernameToken wsu:Id="user">
        <wsse:Username>username</wsse:Username>
        <wsse:Password>password</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp Id="Timestamp">
        <wsu:Created>2015-06-26T03:12:01Z</wsu:Created>
        <wsu:Expires>2015-06-26T03:17:01Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityToken Id="RST0">
      <wst:RequestType>https://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:KeyType>https://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
    </wst:RequestSecurityToken>
  </s:Body>
</s:Envelope>

Now that we have a test username token ready, we can leverage the cURL command to transmit the WS-Trust SOAP request to your federation server. In this example, we will assume the federation server is PingFederate since the endpoint defined is the WS-Trust endpoint for a Secure Token Service (STS). The UAT text file represents the WS-Trust Request Security Token (RST) that is transmitted to the PingFederate STS endpoint.

curl -k --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:urn:my:service-interaction:soap:some-action" --data @UAT https://ssoserver.company.com:9031/idp/sts.wst

A successful transaction with the PingFederate STS will result in the WS-Trust Request Security Token Response (RSTR) being received. The RSTR message will contain a SAMLv1.1 assertion with the identity of the authenticated subject. The response should look similar to the following example. Some notable things to observe in the SAMLv1.1 assertion include the attributes returned such as the SUBJECT (line 26), UPN (line40) and ImmutableID (line 43), where ImmutableID is the Active Directory base64-encoded objectGUID value of the user object.

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="https://www.w3.org/2003/05/soap-envelope">
  <s:Header>
    <add:To xmlns:add="https://www.w3.org/2005/08/addressing">https://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</add:To>
    <add:Action xmlns:add="https://www.w3.org/2005/08/addressing">https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</add:Action>
    <add:RelatesTo xmlns:add="https://www.w3.org/2005/08/addressing">1215501832</add:RelatesTo>
    <wsse:Security xmlns:wsse="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
      <wsu:Timestamp xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="4cce6cc1-57ac-4457-afc3-671fd9a54eca">
        <wsu:Created>2015-06-26T23:12:01.803Z</wsu:Created>
        <wsu:Expires>2015-06-26T23:17:01.803Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse xmlns:wst="https://schemas.xmlsoap.org/ws/2005/02/trust">
      <wst:TokenType>https://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
      <wst:RequestedSecurityToken>
        <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="T5LTg5pIwmTqL5jIbkjXE.w0A9G" IssueInstant="2015-06-26T23:12:01.719Z" Issuer="urn:sso.company.com" MajorVersion="1" MinorVersion="1">
          <saml:Conditions NotBefore="2015-06-26T23:07:01.719Z" NotOnOrAfter="2015-06-26T23:17:01.719Z">
            <saml:AudienceRestrictionCondition>
              <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
            </saml:AudienceRestrictionCondition>
          </saml:Conditions>
          <saml:AuthenticationStatement AuthenticationInstant="2015-06-26T23:12:01.718Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
            <saml:Subject>
              <saml:NameIdentifier Format="https://schemas.xmlsoap.org/claims/UPN">username@COMPANY.COM</saml:NameIdentifier>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
              </saml:SubjectConfirmation>
            </saml:Subject>
          </saml:AuthenticationStatement>
          <saml:AttributeStatement>
            <saml:Subject>
              <saml:NameIdentifier Format="https://schemas.xmlsoap.org/claims/UPN">aOM</saml:NameIdentifier>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
              </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Attribute AttributeName="UPN" AttributeNamespace="https://schemas.xmlsoap.org/claims">
              <saml:AttributeValue>username@COMPANY.COM</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="https://schemas.microsoft.com/LiveID/Federation/2008/05">
              <saml:AttributeValue>zJQC8lDyA0GcfheBlRXVRw==</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#" />
              <ds:SignatureMethod Algorithm="https://www.w3.org/2000/09/xmldsig#rsa-sha1" />
              <ds:Reference URI="#T5LTg5pIwmTqL5jIbkjXE.w0A9G">
                <ds:Transforms>
                  <ds:Transform Algorithm="https://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="https://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>J7XoiIlu0IJmGIiXwEnaE8c8GNI=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>[signature…]</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>[certificate]</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:RequestedSecurityToken>
      <wst:Lifetime>
        <wsu:Created xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-26T23:12:01.719Z</wsu:Created>
        <wsu:Expires xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-26T23:17:01.719Z</wsu:Expires>
      </wst:Lifetime>
      <wst:RequestedAttachedReference>
        <wsse:SecurityTokenReference xmlns:wsse="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="https://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="https://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
          <wsse:KeyIdentifier ValueType="https://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">T5LTg5pIwmTqL5jIbkjXE.w0A9G</wsse:KeyIdentifier>
        </wsse:SecurityTokenReference>
      </wst:RequestedAttachedReference>
      <wsp:AppliesTo xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy">
        <add:EndpointReference xmlns:add="https://www.w3.org/2005/08/addressing">
          <add:Address>urn:federation:MicrosoftOnline</add:Address>
        </add:EndpointReference>
      </wsp:AppliesTo>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

Following these steps while using cURL to emulate the WS-Trust SOAP service requests, gives you an easy way to test Office 365 without configuring an account. Contact us if you have questions on how to test federation to Office 365 or if you need help making the most of your identity and access management investment as you migrate to the cloud.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_47704508_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_zcsr_tmp	session	No description available.
663a60c55d	session	No description available.
ac09458e72	session	No description
AnalyticsSyncHistory	1 month	No description
CookieLawInfoConsent	1 year	No description
fd6b13af5c	session	No description available.
li_gc	2 years	No description
proofidltd-_zldp	2 years	No description
proofidltd-_zldt	1 day	No description
visitorId	1 year	No description
zc_consent	1 year	No description available.
zc_cu	1 year	No description available.
zc_cu_exp	1 year	No description available.
zc_loc	session	No description available.
zc_show	1 year	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.

Testing Active Profile SSO to Office 365 without a configured account

Testing Active Profile SSO to Office 365 without a configured account

About the Author: ProofID

Share

TOPICS

Be the first to hear about news, product updates, and innovation from proofid

Testing Active Profile SSO to Office 365 without a configured account

Testing Active Profile SSO to Office 365 without a configured account

About the Author: ProofID

Share

TOPICS

The move to a passwordless society

Identity health checks: A 10-point prescription for digital resilience

Kerberos authentication troubleshooting with PingFederate

Configuring Qualys with PingFederate

Be the first to hear about news, product updates, and innovation from proofid