Symantec Access Management

Expand all | Collapse all

Tech Tip : CA Single Sign-On : Partnership Office365 - Azure AD issue

  • 1.  Tech Tip : CA Single Sign-On : Partnership Office365 - Azure AD issue

    Posted 10-05-2018 02:53 AM

    Issue:

     

    We're running CA Access Gateway (SPS), when user access to the Partnership
    Office365 - Azure AD from a Windows 10 workstation, the
    authentication fails, and the CA Access Gateway (SPS) windows even
    log reports error :

     

    Get user realm failure. Status: 0xC000023C Correlation ID:
    9384A23C-CA75-4DAD-AF67-0D4779C659C8

     

    How can we fix that ?

     

    Environment:

     

    Policy Server 12.52SP1CR00 on RedHat 6 64bit;
    CA Access Gateway (SPS) 12.52SP1CR04 on RedHat 6 64bit;
    User Store on Active Directory;

     

    Resolution:

     

    As per Microsoft suggestion, add the following :

     

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};userPrincipalName;{1}", param = regexreplace(c.Value, "
    (?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param =
    regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties
    ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
    => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");

    and also vote on the enhancement request here to get this integration
    fully QA'd and supported on our side.

    Vote for support of the full integration of CA Single Sign-On with
    Office 365 and Windows 10 in Azure environment :

    Office 365 and Windows 10 - Domain join via CA SSO
    https://communities.ca.com/ideas/235740879-office-365-and-windows-10-domain-join-via-ca-sso

     

    KB : KB000113734



  • 2.  Re: Tech Tip : CA Single Sign-On : Partnership Office365 - Azure AD issue

    Posted 10-11-2018 06:15 AM

    Hi Patrick, have you tried in a lab environment if it works? You know what I mean