SecureAuth IdP Version Affected: 8.2+
Description: Configuring the dynamic issuer for a multidomain Office365 environment
If the Office 365 tenant contains multiple domains that will be federated for authentication, then Microsoft requires that the domain be created with the SupportMultiDomains flag set to True.
If the domains were created without the flag, then the domain must be updated.
Refer to Microsoft's Documentation for information on how to create, update, and remove domains in an Office 365 tenant.
When federating authentication, each domain in an Office 365 tenant must have a unique Issuer, SecureAuth IdP supports the ability to dynamically send an Issuer from one realm using the authenticating user's userPrincipalName to pull an Issuer from a configuration setting.
For each federated domain in Office 365 for authentication, note the Issuer being used in the configuration steps above.
To enable and configure the dynamic issuer feature on the SecureAuth IdP, perform the following steps:
- Configure each of the domain's data tabs on SecureAuth for a WS-Fed realm and WS-trust realm, with UPN mapped to the AUXID9 field for each domain’s webservice realm as shown. For example, SecureAuth1 is domain1, SecureAuth2 is domain2, and SecureAuth3 is the webservice realm that points to SecureAuth1 and 2. You would want to make this change on both SecureAuth1 and SecureAuth2.
2. Go to the System Info tab of that same realm.
3. Select Edit Web config, then search for DynamicIssuer.
a. Change DynamicIssuerEnabledvalue to true.
b. Set DynamicIssuerUpnAttrvalue = 19
AuxID9 maps to value 19 in SecureAuth web.config. If you are using any other profile field for mapping the UPN value, let us know.
4. Set DynamicIssuerUPNList value = “UniqueIssuer1|lastpartofUPN for domain 1,UniqueIssuer2|lastpartofUPN for domain 2”.
For example: https://domain.com|domain.com,https://domain.net|domain.net as shown below.
You can add multiple issuer names separated by commas providing the corresponding domain is a part of the multi-domain configuration on the Data tab, and the corresponding UPN is mapped to the correct field on the domain data tab.
If not added correctly, the issuer sent back in the claims will default to the issuer name configured on the Post Authentication tab as shown below:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.