My office 365 WSFed partnership is not active even if it says it is activated in the WAM UI. Why is this so ?

Document ID : KB000012166
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

When defining federation office 365 partnerships with the same IP it may occur that some of the partnerships will not activate, even if the process ends up successfully in the WAM UI

Question:

Why are my Office 365 partnerships not activating even though Secure Cloud indicates activation is fine and no error is thrown ?

Environment:
CA Secure Cloud 1.5X
Answer:

Normally, when different WSFED partnerships share the same RP (Microsoft Office Live in the case of Office 365) with the same IP, it is necessary to define a disambiguation ID which will allow for the RP to distinguish between the different partnerships sharing the same IP.

This is explained in the following reference

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/single-sign-on-to-office-365#SingleSign-ontoOffice365-VerifythePrerequisitesforSSOtoOffice365 

It shows in point 6 


Disambiguation ID (required for Office 365) 

Set this ID only when there are multiple partnerships between the same IP and RP, and your company has separate business units with their own relationship with Office 365. Office 365 uses a single ID to identify itself as an RP. Federation does not allow multiple partnerships with the same IP or RP ID. A disambiguation ID enables the system to differentiate partnerships with a unique logical path suffix for the service URLs given to a specific partner. Only one federation service exists, but the suffix that is combined with the RP ID creates a unique partnership lookup key. 

Example: microsoftonline 

The Disambiguation ID is appended to federation service URLs so requests go to the correct remote partner. 

Example: 

Passive Requestor Service URL: 

https://fedserver1.forwardinc.com/affwebservices/public/wsfeddispatcher/microsoftonline

However it is possible to define partnerships with no actual disambiguation ID. Even though this is not correct as per the documentation, Secure Cloud will allow for the partnership to be defined and activated.

Nevertheless, once this is done, it will not be possible to define any other partnership with the same RP and IP: it will apparently activate it fom the WAM UI, but it will continue to be in defined status.

To solve this problem, please make sure there is no active partnership involving the same IP and RP and not having a disambiguation ID.