search cancel

CA Federation & Office 365 Integration: ObjectGUID as ImmutableID

book

Article ID: 41733

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue: 

As of 12.52 Single Sign-On(SiteMinder) Federation has provided WS-FED Active Profile based integration with Office 365 platform as SP.

As part of the Integration requirement with Office 365,  ImmutableID is one of the required attributes to be configured in the partnership. Often times ObjectGUID (a unique binary attribute in Active Directory) is used as the attribute from AD in the partnership for the ImmutableID attribute configuration.

Value of ImmutableID is coming up as empty in the WS-Federation assertion being sent to the Office 365 SP side. Therefore transaction fails at the Office 365 side.

 

Environment:  

12.52 and above CA Federation as IDP

Office 365 as SP

Cause: 

Value of ObjectGUID, a binary attribute, is not encoded into Base64 encoded value for being sent as part of the assertion.

Resolution:

In order to get the ObjectGUID, a binary attribute, working successfully such that the proper Base64 encoded value of it can be generated as part of the assertion and sent across to the Office 365 SP, the syntax required to be used in the partnership configuration is as below:

 

Update Partnership configuration as below:

Assertion Attributes:

Type: User Attribute

Value: 'ObjectGUID;binary'

 

Save & Activate Partnership.

 

Now, Run the SSO transaction and Assertion should contain BASE64 encoded value for ImmutableID.

 

Additional Information: 

 

Not Applicable.

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component: