If you enabled WS-Trust STS to support active federation, configure the WS-Trust protocol and token settings.
- On the WS-Trust STS tab, click Configure WS-Trust STS.
-
On the Protocol Settings tab,
- In the Partner Service Identifier field, enter urn:federation:MicrosoftOnline. Click Add.
-
In the same field, enter the active logon URI.
To get this value, take the URL that was passed as the ActiveLogOnUri parameter to the
Set-MsolDomainFederationSettings
PowerShell cmdlet, then remove the URI scheme.pf01.contoso.com:9031/idp/sts.wst
- From the Default Token Type list, select SAML 1.1 for Office 365.
- Click Next.
- On the Token Lifetime tab, click Next.
-
On the Token Creation tab, configure the token.
- Click Configure Token Creation.
-
On the Attribute Contract tab, map the following
attributes, and then click Next.
Attribute Attribute Name Format ImmutableID
http://schemas.microsoft.com/LiveID/Federation/2008/05
UPN
http://schemas.xmlsoap.org/claims
SAML_NAME_FORMAT
http://schemas.xmlsoap.org/claims
- On the Request Contract tab, click Next.
- On the IdP Token Processor Mapping tab, click Map New Token Processor Instance.
- On the Token Processor Instance tab, from the Token Processor Instance list, select UsernameTokenProcessor. Click Next.
- If you have virtual server IDs for multiple subdomains: on Virtual Server IDs tab, select the Restrict Virtual Server IDs check box.
-
Select the check box for the virtual server ID that represents the
subdomain associated with this token processor. Click
Next.
For more information, see Restricting a token processor to certain virtual server IDs in the PingFederate documentation.Tip:
If you have a single token processor for users across multiple subdomains, create an OGNL expression verify the virtual server ID and other conditions, such as group membership.
For help with OGNL expressions, see Defining issuance criteria for IdP Browser SSO, Enabling and disabling expressions and Constructing OGNL expressions in the PingFederate documentation.
- On the Attribute Retrieval tab, select Retrieve additional attributes from data stores to fulfill the attribute contract. Click Next.
- On the Attribute Sources & User Lookup tab, complete the steps in Configuring attribute source and user lookup for token processors, and then click Next.
-
On the Attribute Contract Fulfillment tab,
create the following mappings, and then click
Next.
Attribute Contract Source Value ImmutableID
LDAP (<Your datastore>)
objectGUID
SAML_NAME_FORMAT
Text
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
TOKEN_SUBJECT
LDAP (<Your datastore>)
objectGUID
UPN
LDAP (<Your datastore>)
userPrincipalName
-
If you use a single token translator instances for users in multiple
subdomain, on the Issuance Criteria tab, create
an OGNL expression verify the virtual server ID and other conditions,
such as group membership.
Note:
For help with OGNL expressions, see Defining issuance criteria for IdP Browser SSO, Enabling and disabling expressions and Constructing OGNL expressions in the PingFederate documentation.
- Click Next.
- On the Summary tab, click Done.
-
If you have more token processor instances (Username or Kerberos token
processors), repeat steps d–l for each one.
Note:
When completing step f, each username token processor must have a different virtual server ID.
- On the Token Creation > IdP Token Processor Mapping tab, click Next.
- On the Summary tab, click Done.
- On the WS-Trust STS > Token Creation tab, click Next.
- On the Summary tab, click Done.
- On the SP Connection > WS-Trust STS tab, click Next.