Testing Active Profile SSO to Office 365 Without a Configured Account

As discussed in a blog earlier this year (Single Sign-On to Office 365 Using Open Standards), Office 365 isn’t just for the small and medium sized businesses anymore. Microsoft recently announced support for private connections to key network partners, removing a barrier for enterprise adoption – predictable and reliable performance. As we work with companies of all sizes to integrate existing federation solutions with Office 365, the question always gets asked – how can I simulate Office 365 without a configured instance in the cloud?

There is in fact an easy way to simulate Office 365 because it uses WS-Trust for active profile clients like Outlook using Exchange Online. We use cURL, which is a free client-side UTL transfer library that supports HTTPS for a WS-Trust SOAP service requests. See the cURL website for more details on the command line capability and how you can download and install.

We create a text file named UAT to represent the username token request sent from Office 365 to a federation server (e.g. PingFederate). For simplicity, the text file contains a cleartext username and password (lines 16 and 17), which should be modified as necessary. It is also worth paying attention to time tags in the message body (lines 20 and 21).

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
    <wsa:To s:mustUnderstand="1">https://sts.qa.glic.com/idp/sts.wst</wsa:To>
    <wsa:MessageID>1215501832</wsa:MessageID>
    <ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
      <ps:HostingApp>Lync Mobile</ps:HostingApp>
      <ps:BinaryVersion>6</ps:BinaryVersion>
      <ps:UIVersion>1</ps:UIVersion>
      <ps:Cookies />
      <ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
    </ps:AuthInfo>
    <wsse:Security>
      <wsse:UsernameToken wsu:Id="user">
        <wsse:Username>username</wsse:Username>
        <wsse:Password>password</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp Id="Timestamp">
        <wsu:Created>2015-06-26T03:12:01Z</wsu:Created>
        <wsu:Expires>2015-06-26T03:17:01Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityToken Id="RST0">
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
    </wst:RequestSecurityToken>
  </s:Body>
</s:Envelope>

Now that we have a test username token ready, we can leverage the cURL command to transmit the WS-Trust SOAP request to your federation server. In this example, we will assume the federation server is PingFederate since the endpoint defined is the WS-Trust endpoint for a Secure Token Service (STS).  The UAT text file represents the WS-Trust Request Security Token (RST) that is transmitted to the PingFederate STS endpoint.

curl -k --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:urn:my:service-interaction:soap:some-action" --data @UAT https://ssoserver.company.com:9031/idp/sts.wst

A successful transaction with the PingFederate STS will result in the WS-Trust Request Security Token Response (RSTR) being received. The RSTR message will contain a SAMLv1.1 assertion with the identity of the authenticated subject.  The response should look similar to the following example.  Some notable things to observe in the SAMLv1.1 assertion include the attributes returned such as the SUBJECT (line 26), UPN (line40) and ImmutableID (line 43), where ImmutableID is the Active Directory base64-encoded objectGUID value of the user object.

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
  <s:Header>
    <add:To xmlns:add="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</add:To>
    <add:Action xmlns:add="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</add:Action>
    <add:RelatesTo xmlns:add="http://www.w3.org/2005/08/addressing">1215501832</add:RelatesTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="4cce6cc1-57ac-4457-afc3-671fd9a54eca">
        <wsu:Created>2015-06-26T23:12:01.803Z</wsu:Created>
        <wsu:Expires>2015-06-26T23:17:01.803Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
      <wst:RequestedSecurityToken>
        <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="T5LTg5pIwmTqL5jIbkjXE.w0A9G" IssueInstant="2015-06-26T23:12:01.719Z" Issuer="urn:sso.company.com" MajorVersion="1" MinorVersion="1">
          <saml:Conditions NotBefore="2015-06-26T23:07:01.719Z" NotOnOrAfter="2015-06-26T23:17:01.719Z">
            <saml:AudienceRestrictionCondition>
              <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
            </saml:AudienceRestrictionCondition>
          </saml:Conditions>
          <saml:AuthenticationStatement AuthenticationInstant="2015-06-26T23:12:01.718Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
            <saml:Subject>
              <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">This email address is being protected from spambots. You need JavaScript enabled to view it.</saml:NameIdentifier>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
              </saml:SubjectConfirmation>
            </saml:Subject>
          </saml:AuthenticationStatement>
          <saml:AttributeStatement>
            <saml:Subject>
              <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">aOM</saml:NameIdentifier>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
              </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
              <saml:AttributeValue>This email address is being protected from spambots. You need JavaScript enabled to view it.</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
              <saml:AttributeValue>zJQC8lDyA0GcfheBlRXVRw==</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
              <ds:Reference URI="#T5LTg5pIwmTqL5jIbkjXE.w0A9G">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>J7XoiIlu0IJmGIiXwEnaE8c8GNI=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>[signature…]</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>[certificate]</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:RequestedSecurityToken>
      <wst:Lifetime>
        <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-26T23:12:01.719Z</wsu:Created>
        <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-26T23:17:01.719Z</wsu:Expires>
      </wst:Lifetime>
      <wst:RequestedAttachedReference>
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
          <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">T5LTg5pIwmTqL5jIbkjXE.w0A9G</wsse:KeyIdentifier>
        </wsse:SecurityTokenReference>
      </wst:RequestedAttachedReference>
      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <add:EndpointReference xmlns:add="http://www.w3.org/2005/08/addressing">
          <add:Address>urn:federation:MicrosoftOnline</add:Address>
        </add:EndpointReference>
      </wsp:AppliesTo>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

Following these steps while using cURL to emulate the WS-Trust SOAP service requests, gives you an easy way to test Office 365 without configuring an account. Contact us if you have questions on how to test federation to Office 365 or if you need help making the most of your identity and access management investment as you migrate to the cloud.

Rate this blog entry:
2