Patrick-Dussault

Tech Tip : CA Single Sign-On : Partnership Office365 - Azure AD issue

Discussion created by Patrick-Dussault Employee on Oct 5, 2018
Latest reply on Oct 11, 2018 by alessandro.sessa

Issue:

 

We're running CA Access Gateway (SPS), when user access to the Partnership
Office365 - Azure AD from a Windows 10 workstation, the
authentication fails, and the CA Access Gateway (SPS) windows even
log reports error :

 

Get user realm failure. Status: 0xC000023C Correlation ID:
9384A23C-CA75-4DAD-AF67-0D4779C659C8

 

How can we fix that ?

 

Environment:

 

Policy Server 12.52SP1CR00 on RedHat 6 64bit;
CA Access Gateway (SPS) 12.52SP1CR04 on RedHat 6 64bit;
User Store on Active Directory;

 

Resolution:

 

As per Microsoft suggestion, add the following :

 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};userPrincipalName;{1}", param = regexreplace(c.Value, "
(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param =
regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");

and also vote on the enhancement request here to get this integration
fully QA'd and supported on our side.

Vote for support of the full integration of CA Single Sign-On with
Office 365 and Windows 10 in Azure environment :

Office 365 and Windows 10 - Domain join via CA SSO
https://communities.ca.com/ideas/235740879-office-365-and-windows-10-domain-join-via-ca-sso

 

KB : KB000113734

Outcomes