Implementing Office 365 single sign-on using custom authentication/claims provider in ADFS 3.0 (RE: AADSTS90019)

Question

I have a new Claims Provider Trust successfully configured in ADFS 3.0 that allows us to use a separate SAML IdP and let ADFS 3.0 be the SP. We now see \"You are signed in\"

Answer 1

So to properly execute this (SSO into Office 365 via custom authentication/claims provider in ADFS), we have to:

1. Allow the incoming Name ID claim. Add a Claim Rule to the new Claims Provider in ADFS to pass the Name ID through.
2. Map the Name ID to the corresponding AD user. Add a Claim Rule to the existing Microsoft Office 365 Identity Platform relying trust party to query AD using the Name ID (format as needed) and return the fields required: UPN and ImmutableID.

Vanilla example of claim rule for the new Claims Provider:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(claim = c);

Example of using the Name ID to query AD and return the UPN and ImmutableID:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;DOMAIN\{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

Finally, you should add some filtering on the incoming claims in the Claims Provider for added security (i.e. only allow incoming claims matching your domain's email suffix, etc.)