Yes, the solution you offered is excellent, but while configuring the statements you provided, I am experiencing an unexpected issue on the Microsoft Dynamics platform. Could you kindly advise me on the best solution to this?
Original Message:
Sent: Mar 22, 2021 02:21 AM
From: srija k
Subject: Microsoft Dynamics CRM Into CA Sitemidner
Hello, Subash
I hope this may help you -
It's important that we integrate Microsoft products together with 3rd party identity providers. This allows us to execute our mission to empower everyone on the planet to do more and achieve more. Understanding how we use federated identities to connect users with CRM services is critical to achieving this. This post will detail the requirements for connecting Dynamics CRM with CA Single Sign-On (SSO), formerly SiteMinder. We use ADFS as an intermediary, as CRM supports it out of the box.
To start things off, you first must configure Dynamics CRM in an IFD configuration. This enables CRM to authenticate users based on claims authentication. Follow one of the many configuration guides to configure CRM to authenticate to ADFS using Active Directory. CRM relies on ADFS using the WS-Federation protocol and supports SAML-based tokens. A CRM deployment can only be attached to one method of user authentication. If we configure CRM to authenticate to ADFS, we can then enable ADFS to authenticate users from multiple identity providers. Your Relying Party Trust for CRM in ADFS should pass through PrimarySID and UPN while issuing WindowsAccountName as a Name claim. For example:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]=> issue(claim = c);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Once you successfully authenticate users to CRM via ADFS using the Active Directory Claims Provider Trust, establish a partnership between ADFS and SiteMinder. This requires creating a Claims Provider Trust (manually) for SiteMinder in ADFS, specifying the service URL (SAML 2.0 endpoint), and importing the token-signing certificate. In this scenario, I used SSL connections on port 443 for both ADFS and SiteMinder endpoints, so I did not enable encryption of the SAML assertions. Your configuration may vary.
In my customer's configuration, SiteMinder issues a NameID claim (assertion). Add a custom claims rule to the SiteMinder claims provider trust to pass through the NameID claim:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]=> issue(Type = c.Type, Issuer = "ADFS", OriginalIssuer = "SiteMinder", Value = c.Value, ValueType = c.ValueType);
It's important to note that the predefined pass through rule in ADFS for NameID didn't work for me. It requires you to specify the NameID format, while the above custom rule just issues the claim with the same type that it comes in with. Now that we have a claim rule to pass through NameID from SiteMinder, open the claim rules for your CRM Relying Party Trust. There are only two claims that CRM requires. You must issue a UPN claim [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn] and a Name claim [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name]. PrimarySID is optional and not required. The UPN claim must be in the standard UPN format of 'user@domain.com'. For the Name claim however, CRM doesn't actually want the user's name (Display Name/Common Name). It is looking for a claim value in the format of 'DOMAIN\User', similar to WindowsAccountName or sAMAccountName. So again; the claim must be of type Name and the claim value must be in a 'DOMAIN\User' format.
Add a couple of custom rules to transform your NameID claim into something that CRM will accept. For example:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer != "AD AUTHORITY"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = "ADFS", OriginalIssuer = "SiteMinder", Value = c.Value + "@contoso.com", ValueType = c.ValueType);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer != "AD AUTHORITY"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = "ADFS", OriginalIssuer = "SiteMinder", Value = "CONTOSO\" + c.Value, ValueType = c.ValueType);
So in this example, if your NameID claim value was '1234567890', then you would be issued a UPN claim with a value of '1234567890@contoso.com'. You would also be issued a Name claim with a value of 'CONTOSO\1234567890'. To complete the configuration in CRM, login with an Administrator account via ADFS/AD and manage users. Add a new user with an account name of '1234567890@contoso.com', using the proper format for your environment. Clear your cache and/or open an InPrivate copy of your browser to test with. Once you visit your CRM Organization page, you should be redirected to ADFS and presented with Home Realm Discovery. Select your SiteMinder IDP and authenticate. After successfully authenticating, you should be redirected back to ADFS, and then CRM logging you in successfully.
Troubleshooting: Depending on your environment and configuration, you will likely need to review Event Logs in CRM, Event Logs in ADFS, logs for SiteMinder, and most importantly, use Fiddler to trace down issues with this configuration. One issue we faced was that after the partnership was established, ADFS would throw the following error:
System.Xml.XmlException: ID4262: The SAML NameIdentifier 'SAML2_IDP' is of format 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity' and its value is not a valid URI. at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadNameIDType(XmlReader reader)
This was solved by changing the NameID assertion in the SiteMinder partnership to issue type 'urn:oasis:names:tc:SAML:2.0:assertion' instead of type 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'. Another issue we encountered was that CRM specifies an AuthN context and passes the WAUTH parameter in the URL. This effectively asks ADFS to only use Windows Claims Authentication. To resolve this, we had to enable a setting that ignores the AuthN context in the SiteMinder partnership configuration. Without ignoring the AuthN context enabled, ADFS fails with an error that the IDP is not using the proper AuthN context. Of course this is by design for CRM, and ignoring it in SiteMinder was the final hurdle to making this configuration work. This integration was achieved using Dynamics CRM 2011, ADFS 3.0 (2012 R2), and SiteMinder.
Now what if you have both internal and external users, with internal users also having an Active Directory account? My customer synchronizes a custom attribute in Active Directory that matches the SiteMinder NameID value. The customer wanted internal users that authenticate via SiteMinder to appear to as if they had logged in via AD. Here's an example:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = "siteMinderID={0};userPrincipalName,objectSid,sAMAccountName;CONTOSO\svc-adfs", param = c.Value);Regards,
Srija
Original Message:
Sent: 06-06-2020 06:00 AM
From: Subash Jesuraj
Subject: Microsoft Dynamics CRM Into CA Sitemidner
Hi All,
Am trying to move Microsoft Dynamics CRM application from ADFS to CA Siteminder.
I got the metadata from CRM team and i imported in to Siteminder console, Entity created as WSFED.
I have followed some CA docs and completed the configuration but its not working.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/ca-sso-runbooks/microsoft-dynamics-crm.html
Am running into couple of issues and i have couple of questions in my mind. It will be great if someone can help me with this.
Issues
======
1. In ADFS the value of ObjectSid is assigning as primarysid in SecurityTokenResponse, am also trying to send ObjectSid as primarysid. If am adding OjectSid in Attribute then IDP initiated URL itself not workign and am getting below error.[84118/140304761972480][Sat Jun 06 2020 01:37:59][AssertionGenerator.java][ERROR][sm-FedServer-00130] postProcess() returns fatal error. <Response ID="_4b382af8e8fdd584e8f3549728faca41525c" IssueInstant="2020-06-06T08:37:59Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">CASSO_IDP</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<StatusMessage>Error parsing the generated Response string.</StatusMessage>
</Status>
</Response>
The Value of ObjectSid is S-1-5-21-1137272540-2011985300-1233803906-4380145 . AM not sure this may cause the issue.
2. Once i removed ObjectSid the IDP initiated URL is working and am getting below error in brwoser after siteminder authentication.
An error has occurred.
Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.
Whem am seeing the RequestSecurityTokenResponse in logs am seeing something like below,
<ns1:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
So instead of " its coming as ", am not sure this may be the issue.
Question
=======
Can we Configure Microsoft Dynamics CRM in CA Sitemidner using SAML 2.0 instead of WSFED ?
Thanks,
Subash