Environment
NetIQ Access Manager 4.0.1
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server
Integrating Access Manager with Office365
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server
Integrating Access Manager with Office365
Situation
Access Manager setup successfully and Identity Server integrated with office 365 using ws-federation and ws-trust protocols, using the wizard. Users can successfully login to o365 through the web service and the desktop apps. However, users get the following error when trying to login in the OneDrive app on iOS and Android.
"AADSTS20001: WS-Federation response does not contain an issued token"
Admin has two domains setup for o365, although that should not matter.
"AADSTS20001: WS-Federation response does not contain an issued token"
Admin has two domains setup for o365, although that should not matter.
Resolution
To establish single sign-on from iOS apps to Office 365 services, perform the following steps:
1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Contract.
2. Specify a name to identity the contract.
3. Specify the URI as http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
4. Select Name/Password - Form - WebService method.
1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Contract.
2. Specify a name to identity the contract.
3. Specify the URI as http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
4. Select Name/Password - Form - WebService method.
Cause
From the logs, I can see the following incoming AUthn Request:
<amLogEntry> 2015-05-01T14:38:52Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-1
****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /wsfed
Query String: login_hint=aris%40cjonquiere.qc.com&wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword&username=aris%40cjonquiere.qc.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3d3wEBD09BdXRoMkF1dGhvcml6ZQEPT0F1dGgyQXV0aG9yaXplAQZjb21tb24BAQEPb2F1dGgyLmF1dGhjb2RlAAEhaHR0cHM6Ly9hcGkub2ZmaWNlLmNvbS9kaXNjb3ZlcnkvAQEkYjI2YWFkZjgtNTY2Zi00NDc4LTkyNmYtNTg5ZjYwMWQ5Yzc0AAAAAAAAAAAAAAABARoAAAABQG1zYXV0aDovL2NvbS5taWNyb3NvZnQuc2t5ZHJpdmUvZ1NvcXpoYkNqa3l2SSUyRmw3a0M3SWRHN0tiUFUlM0QBDAEIYWRhbF92ZXIBBTEuMS4xAQNjaWQBJDIyOGUzOTE3LTI2NDgtNGMyZi04MDQxLWM1NWNhYzM0MWQ4ZgEJZXJyb3JfdXJpAUBtc2F1dGg6Ly9jb20ubWljcm9zb2Z0LnNreWRyaXZlL2dTb3F6aGJDamt5dkklMkZsN2tDN0lkRzdLYlBVJTNEAQ9Gb3JjZUZyZXNoTG9naW4BATEBD2luY2x1ZGVfYXRfaGFzaAEBMQELaW50ZXJhY3RpdmUBATEBCmxvZ2luX2hpbnQBF2FkYXJpc0Bjam9ucXVpZXJlLnFjLmNhAQNwa2EBATEBBnByb21wdAEFbG9naW4BAnJjAV5ZVDFvZEhSd2N6b3ZMMnh2WjJsdUxuZHBibVJ2ZDNNdWJtVjBMMk52YlcxdmJpWnlQV2gwZEhCek9pOHZZWEJwTG05bVptbGpaUzVqYjIwdlpHbHpZMjkyWlhKNUx3AQlzZXNzaW9uSWQBJDA5YWE5Mjk4LTM2NTctNDcxYy1iY2FiLTRhZWRjNWI0ZWY4MgEPbGltaXRfdG9rZW5zaXplAQEx7Q2
Path Info: /ep
The wauth parameter defines the type of authentication that the client wants to execute it. http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword. We must create a contract with this URI in it, so that we map this authn type to a local NAM contract to execute.
<amLogEntry> 2015-05-01T14:38:52Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-1
****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /wsfed
Query String: login_hint=aris%40cjonquiere.qc.com&wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword&username=aris%40cjonquiere.qc.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3d3wEBD09BdXRoMkF1dGhvcml6ZQEPT0F1dGgyQXV0aG9yaXplAQZjb21tb24BAQEPb2F1dGgyLmF1dGhjb2RlAAEhaHR0cHM6Ly9hcGkub2ZmaWNlLmNvbS9kaXNjb3ZlcnkvAQEkYjI2YWFkZjgtNTY2Zi00NDc4LTkyNmYtNTg5ZjYwMWQ5Yzc0AAAAAAAAAAAAAAABARoAAAABQG1zYXV0aDovL2NvbS5taWNyb3NvZnQuc2t5ZHJpdmUvZ1NvcXpoYkNqa3l2SSUyRmw3a0M3SWRHN0tiUFUlM0QBDAEIYWRhbF92ZXIBBTEuMS4xAQNjaWQBJDIyOGUzOTE3LTI2NDgtNGMyZi04MDQxLWM1NWNhYzM0MWQ4ZgEJZXJyb3JfdXJpAUBtc2F1dGg6Ly9jb20ubWljcm9zb2Z0LnNreWRyaXZlL2dTb3F6aGJDamt5dkklMkZsN2tDN0lkRzdLYlBVJTNEAQ9Gb3JjZUZyZXNoTG9naW4BATEBD2luY2x1ZGVfYXRfaGFzaAEBMQELaW50ZXJhY3RpdmUBATEBCmxvZ2luX2hpbnQBF2FkYXJpc0Bjam9ucXVpZXJlLnFjLmNhAQNwa2EBATEBBnByb21wdAEFbG9naW4BAnJjAV5ZVDFvZEhSd2N6b3ZMMnh2WjJsdUxuZHBibVJ2ZDNNdWJtVjBMMk52YlcxdmJpWnlQV2gwZEhCek9pOHZZWEJwTG05bVptbGpaUzVqYjIwdlpHbHpZMjkyWlhKNUx3AQlzZXNzaW9uSWQBJDA5YWE5Mjk4LTM2NTctNDcxYy1iY2FiLTRhZWRjNWI0ZWY4MgEPbGltaXRfdG9rZW5zaXplAQEx7Q2
Path Info: /ep
The wauth parameter defines the type of authentication that the client wants to execute it. http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword. We must create a contract with this URI in it, so that we map this authn type to a local NAM contract to execute.