前提情報
O365(SP)メタファイル
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlnsalg="urn:oasis:names:tc:SAML:metadata:algsupport" ID="_e1f359fb-13fb-4264-9047-177f62360717" entityID="urn:federation:MicrosoftOnline">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_e1f359fb-13fb-4264-9047-177f62360717">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>LhwJ4fdEzmYQo4AgLM33skv8EhM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CmzuV+PjHZAYEHIEPDgmnXtIwKaiBuwdPctJfwp57VBKZRPB+bM7Yrlxm2osn4T8AjLBNxV64I8t5tAALYhJuBnUW7hQwONVetovkAT07fN53Ybjc8uIvJWx0ZkJ4gyAVCwdEzGd7dUJmuqRbImyfaNkTnjWtFXCtj0JJOb7kNMXGxCbjcGXMTPvsItNmZ/goiKAPIGgnAWeJQlXRLBNj3VncEo2rmfFGsaKtqoFKx19JrzI70vxRTcQyCB4Qf6ID+EHrWfMr0crZ94ttJ50wrsS9aIvPgH/Px7mHFKSjC0N4tc7cuVC09/PHCy/hBIfvaWGnjcJOXku2XCNdkbvZw==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIQN/GPegnT8blP2EcSdMMbBzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjEwMjE4MDAwMDAwWhcNMjYwMjE4MDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXdLGU2Ll5RPdDUnKQ+f/HS5qiTay2cCh9U2AS6oDM6SOxVhYGtoeJ1VPebcLnpgLfhPxzrwWoVzXSEF+VRQbnYID2Jb4khjgyEeoThk3VqrThwhahpSbBg2vo06vIOp1TS2R1BiwHKTLoB1i1IJnaIFSC3BN6pY4flXWyLQt/5ABXElv2XZLqXM9Eefj6Ji40nLIsiW4dWw3BDa/ywWW0MsiW5ojGq4vovcAgENe/4NUbju70gHP/WS5D9bW5p+OIQi7/unrlWe/h3A6jtBbbRlXYXlN+Z22uTTyyCD/W8zeXaACLvHagwEMrQePDXBZqc/iX2kI+ooZr1sC/H39RAgMBAAGjITAfMB0GA1UdDgQWBBSrX2dm3LwT9jb/p+bAAdYQpE+/NjANBgkqhkiG9w0BAQsFAAOCAQEAeqJfYHnsA9qhGttXFfFpPW4DQLh5w6JCce7vGvWINr5fr1DnQdcOr+wwjQ/tqbckAL2v6z1AqjhS78kbfegnAQDwioJZ1olYYvLOxKoa6HF+b1/p0Mlub8Zukk2n1b2lKPBBOibOasSY7gQDwlIZi7tl9nMTxUfdYK+E5Axv7DVnmUCwcnnpV5/1SFdNyW2kWO4C68rrjMOvECfwrKkbfVJM8f9krEUBuoBF8dTDv7D2ZM4Q2buC70NbfaNWUX0yFvKI0IuTqk8RBfGTRQ4fZAbhMPaykEpBu6dNjTi5YOa0lNqFGS7Ax7leCh5x9lV8elcLkXs8ySo8AOQJk0hgIw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIQbgDHfi3t1JNGVqwD5/7lmjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjAxMjIxMDAwMDAwWhcNMjUxMjIxMDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFT0/0/2qQurnYa0LbJHF9YYozhEH6r9mCxVDBYbewSG4tGgrWpsewQ/96pcczGMQctMvU+h2eX38Hx/f9JAIDbuRQzQlsPhQS7DDZ6WlTXU+t8d/g2C7fpSoLs4KVdJih4xyjLUWj+BK/ijsRjBt4Riw9VbJH/DdWKyoSMbECEiE+s1RtLP/eYoMmNfxyQGqWirCNqVNBTlqzYQp4dgF0foYy4ktoxwmQOVoTcIMFYp1I4pFPI7CxuMLkfK0X7aTbM7YGphvMfJxJkjrQdyI7G5d1t4DNi3zkEbBT7FGAr6qPt3Kn9ralpqJKHdpEBA9N0vNwQo5XTYIhUbPQ16IRAgMBAAGjITAfMB0GA1UdDgQWBBRs7tPmfkksSr67KtElHjYZbeaCTjANBgkqhkiG9w0BAQsFAAOCAQEAJqwMZSjQJ36x+1sty6EeLKQLQewQwPaEC47Zut+8bXed6Q8jMZ0bfa/MM7XquEcabaMZLQuKLft44YXwXXQOfQrI2qjQr3eToJFlDT9hR0rfp9wQqttDxd6Aa6RWwDTgo5oKUQCTKLHhEy8uWzScK0eGt2d7TWTaDXjRSwNq6tM7fRhZs07tKBV3xfi9EQy/mlavAMFRBVm86NSo7AsOG1IOMq03U3ooCWAXh9PdvvHNfHhH19futAnC/HeOjwRF1Qc527aBMphYFQLdiThfmfmiE/AhQqCwZ2oE7uCJhBtR+Kb1ZGhjI35pHfsSqGiFa7Kr+5ave822PDcke89Mvg==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIQN/GPegnT8blP2EcSdMMbBzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjEwMjE4MDAwMDAwWhcNMjYwMjE4MDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXdLGU2Ll5RPdDUnKQ+f/HS5qiTay2cCh9U2AS6oDM6SOxVhYGtoeJ1VPebcLnpgLfhPxzrwWoVzXSEF+VRQbnYID2Jb4khjgyEeoThk3VqrThwhahpSbBg2vo06vIOp1TS2R1BiwHKTLoB1i1IJnaIFSC3BN6pY4flXWyLQt/5ABXElv2XZLqXM9Eefj6Ji40nLIsiW4dWw3BDa/ywWW0MsiW5ojGq4vovcAgENe/4NUbju70gHP/WS5D9bW5p+OIQi7/unrlWe/h3A6jtBbbRlXYXlN+Z22uTTyyCD/W8zeXaACLvHagwEMrQePDXBZqc/iX2kI+ooZr1sC/H39RAgMBAAGjITAfMB0GA1UdDgQWBBSrX2dm3LwT9jb/p+bAAdYQpE+/NjANBgkqhkiG9w0BAQsFAAOCAQEAeqJfYHnsA9qhGttXFfFpPW4DQLh5w6JCce7vGvWINr5fr1DnQdcOr+wwjQ/tqbckAL2v6z1AqjhS78kbfegnAQDwioJZ1olYYvLOxKoa6HF+b1/p0Mlub8Zukk2n1b2lKPBBOibOasSY7gQDwlIZi7tl9nMTxUfdYK+E5Axv7DVnmUCwcnnpV5/1SFdNyW2kWO4C68rrjMOvECfwrKkbfVJM8f9krEUBuoBF8dTDv7D2ZM4Q2buC70NbfaNWUX0yFvKI0IuTqk8RBfGTRQ4fZAbhMPaykEpBu6dNjTi5YOa0lNqFGS7Ax7leCh5x9lV8elcLkXs8ySo8AOQJk0hgIw==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf" index="0" isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login.microsoftonline.com/login.srf" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" index="2"/>
</SPSSODescriptor>
<Extensions>
<algDigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<algSigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</Extensions>
</EntityDescriptor>
OpenAM(IdP)メタファイル
※ドメインはhoge.comでレルムはo365の場合、公開URL文字列は以下となる。
https://hoge.com/openam/saml2/jsp/exportmetadata.jsp?entityid=https%3A%2F%2Fhoge.com%3A443%2Fopenam&realm=%2Fo365
EntityDescriptor entityID="https://hoge.com:443/openam">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<dsKeyInfo>
<dsX509Data>
<dsX509Certificate>
〜省略〜
</dsX509Certificate>
</dsX509Data>
</dsKeyInfo>
</KeyDescriptor>
<ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/ArtifactResolver/metaAlias/o365/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/IDPSloPOST/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPSloPOST/metaAlias/o365/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/IDPSloSoap/metaAlias/o365/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/IDPMniRedirect/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPMniRedirect/metaAlias/o365/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/IDPMniPOST/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPMniPOST/metaAlias/o365/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/IDPMniSoap/metaAlias/o365/idp"/>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/SSORedirect/metaAlias/o365/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/SSOPOST/metaAlias/o365/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/SSOSoap/metaAlias/o365/idp"/>
<NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/NIMSoap/metaAlias/o365/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/AIDReqSoap/IDPRole/metaAlias/o365/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://hoge.com:443/openam/AIDReqUri/IDPRole/metaAlias/o365/idp"/>
</IDPSSODescriptor>
</EntityDescriptor>
SP Initiated SSOの場合
以下フローとなる。
①ブラウザがO365(SP)のサインイン画面にアクセスしサインイン(IDのみ入力)
②O365がブラウザをOpenAM(IdP)のレルムのサインイン画面にリダイレクト
③ブラウザがOpenAMサインイン画面にアクセス(SAMLリクエスト送付)
④ブラウザがOpenAMサインイン画面でID/PW入力しサインイン
⑤OpenAMがブラウザをO365にリダイレクト
⑦ブラウザがO365 SAMLにアクセス(SAMLレスポンス送付)
⑥O365にサインイン
SAMLトレーサーの情報で採取した情報は以下の通り。
<samlpAuthnRequest ID="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9"
Version="2.0"
IssueInstant="2022-05-15T14:51:07.739Z"
xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
<samlpNameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</samlpAuthnRequest>
<samlpResponse xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2faee0cb2cdbb0c40204f41c0613ff54d25cc543c"
InResponseTo="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9"
Version="2.0"
IssueInstant="2022-05-15T14:51:13Z"
Destination="https://login.microsoftonline.com/login.srf"
>
<samlIssuer xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</samlIssuer>
<samlpStatus xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlpStatusCode xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlpStatus>
<samlAssertion xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s26a1ee234251e7b5de92ad22ceecb14a112d9191c"
IssueInstant="2022-05-15T14:51:13Z"
Version="2.0"
>
<samlIssuer>https://hoge.com:443/openam</samlIssuer>
<dsSignature xmlnsds="http://www.w3.org/2000/09/xmldsig#">
<dsSignedInfo>
<dsCanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsSignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsReference URI="#s26a1ee234251e7b5de92ad22ceecb14a112d9191c">
<dsTransforms>
<dsTransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsTransform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsTransforms>
<dsDigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsDigestValue>o+/KyOny4iHd+yikTkDxWliPlVk=</dsDigestValue>
</dsReference>
</dsSignedInfo>
<dsSignatureValue>〜省略〜</dsSignatureValue>
<dsKeyInfo>
<dsX509Data>
<dsX509Certificate>〜省略〜</dsX509Certificate>
</dsX509Data>
</dsKeyInfo>
</dsSignature>
<samlSubject>
<samlNameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://hoge.com:443/openam"
SPNameQualifier="urn:federation:MicrosoftOnline"
>10000</samlNameID>
<samlSubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<samlSubjectConfirmationData InResponseTo="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9"
NotOnOrAfter="2022-05-15T15:01:13Z"
Recipient="https://login.microsoftonline.com/login.srf"
/>
</samlSubjectConfirmation>
</samlSubject>
<samlConditions NotBefore="2022-05-15T14:41:13Z"
NotOnOrAfter="2022-05-15T15:01:13Z"
>
<samlAudienceRestriction>
<samlAudience>urn:federation:MicrosoftOnline</samlAudience>
</samlAudienceRestriction>
</samlConditions>
<samlAuthnStatement AuthnInstant="2022-05-15T14:51:13Z"
SessionIndex="s22aa3ab0b20f4d83859d1aa1528391652e0dde201"
>
<samlAuthnContext>
<samlAuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</samlAuthnContextClassRef>
</samlAuthnContext>
</samlAuthnStatement>
<samlAttributeStatement>
<samlAttribute Name="IDPEmail">
<samlAttributeValue xmlnsxs="http://www.w3.org/2001/XMLSchema"
xmlnsxsi="http://www.w3.org/2001/XMLSchema-instance"
xsitype="xs:string"
>hoge@hoge.com</samlAttributeValue>
</samlAttribute>
</samlAttributeStatement>
</samlAssertion>
</samlpResponse>
SAMLログアウトリクエスト(おまけ)
<samlpLogoutRequest ID="_12385893-eebb-45eb-87de-4c023d0230a7"
Version="2.0"
IssueInstant="2022-05-15T14:51:28.302Z"
Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp"
xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>10000</NameID>
<samlpSessionIndex>s22aa3ab0b20f4d83859d1aa1528391652e0dde201</samlpSessionIndex>
</samlpLogoutRequest>
SAMLログアウトレスポンス(おまけ)
<samlpLogoutRequest ID="_12385893-eebb-45eb-87de-4c023d0230a7"
Version="2.0"
IssueInstant="2022-05-15T14:51:28.302Z"
Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp"
xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>10000</NameID>
<samlpSessionIndex>s22aa3ab0b20f4d83859d1aa1528391652e0dde201</samlpSessionIndex>
</samlpLogoutRequest>
IDP Initiated SSOの場合
以下フローとなる。
①ブラウザがレルムのOpenAMサインイン画面でID/PW入力しサインイン
URLは以下
https://hoge.com:443/openam/XUI/?realm=%2Fo365#login
②ブラウザがO365 SAMLにアクセス(SAMLレスポンス送付)
https://hoge.com:443/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=%2Fo365%2Fidp&spEntityID=urn%3Afederation%3AMicrosoftOnline&NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
③O365にサインイン
SAMLトレーサーの情報で採取した情報は以下の通り。
<samlpResponse xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s207635788d55874ec055af470c14588ac4d8d151d"
Version="2.0"
IssueInstant="2022-05-15T15:52:58Z"
Destination="https://login.microsoftonline.com/login.srf"
>
<samlIssuer xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</samlIssuer>
<samlpStatus xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlpStatusCode xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlpStatus>
<samlAssertion xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2bd1c86eb6c0ab8f840b6f8eb2f20ab4210b7da2f"
IssueInstant="2022-05-15T15:52:58Z"
Version="2.0"
>
<samlIssuer>https://hoge.com:443/openam</samlIssuer>
<dsSignature xmlnsds="http://www.w3.org/2000/09/xmldsig#">
<dsSignedInfo>
<dsCanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsSignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsReference URI="#s2bd1c86eb6c0ab8f840b6f8eb2f20ab4210b7da2f">
<dsTransforms>
<dsTransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsTransform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsTransforms>
<dsDigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsDigestValue>IxMkFO2rdzhOk9/t2blfaIE2b6k=</dsDigestValue>
</dsReference>
</dsSignedInfo>
<dsSignatureValue>〜省略〜</dsSignatureValue>
<dsKeyInfo>
<dsX509Data>
<dsX509Certificate>〜省略〜</dsX509Certificate>
</dsX509Data>
</dsKeyInfo>
</dsSignature>
<samlSubject>
<samlNameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://hoge.com:443/openam"
SPNameQualifier="urn:federation:MicrosoftOnline"
>10000</samlNameID>
<samlSubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<samlSubjectConfirmationData NotOnOrAfter="2022-05-15T16:02:58Z"
Recipient="https://login.microsoftonline.com/login.srf"
/>
</samlSubjectConfirmation>
</samlSubject>
<samlConditions NotBefore="2022-05-15T15:42:58Z"
NotOnOrAfter="2022-05-15T16:02:58Z"
>
<samlAudienceRestriction>
<samlAudience>urn:federation:MicrosoftOnline</samlAudience>
</samlAudienceRestriction>
</samlConditions>
<samlAuthnStatement AuthnInstant="2022-05-15T15:52:26Z"
SessionIndex="s2b52578651e4b29cf4b304eceb2475cae0259eb01"
>
<samlAuthnContext>
<samlAuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</samlAuthnContextClassRef>
</samlAuthnContext>
</samlAuthnStatement>
<samlAttributeStatement>
<samlAttribute Name="IDPEmail">
<samlAttributeValue xmlnsxs="http://www.w3.org/2001/XMLSchema"
xmlnsxsi="http://www.w3.org/2001/XMLSchema-instance"
xsitype="xs:string"
>hoge@hoge.com</samlAttributeValue>
</samlAttribute>
</samlAttributeStatement>
</samlAssertion>
</samlpResponse>
SAMLログアウトリクエスト(おまけ)
<samlpLogoutRequest ID="_19e69436-931a-403e-95d8-c506945df67f"
Version="2.0"
IssueInstant="2022-05-15T15:53:14.166Z"
Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp"
xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>10000</NameID>
<samlpSessionIndex>s2b52578651e4b29cf4b304eceb2475cae0259eb01</samlpSessionIndex>
</samlpLogoutRequest>
SAMLログアウトレスポンス(おまけ)
<samlpLogoutResponse xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="se60d6f6c2dc845c912c51b187496499ebdb0d10b"
Version="2.0"
IssueInstant="2022-05-15T15:53:14Z"
Destination="https://login.microsoftonline.com/login.srf"
InResponseTo="_19e69436-931a-403e-95d8-c506945df67f"
>
<samlIssuer xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</samlIssuer>
<samlpStatus xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlpStatusCode xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
<samlpStatusMessage xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol">
Session did not exist. Already logged-out
</samlpStatusMessage>
</samlpStatus>
</samlpLogoutResponse>
ログアウト時、以下エラーになる。
※原因調査中。