Partnership Office365 - Azure AD issue

Document ID : KB000113734
Last Modified Date : 05/10/2018
Show Technical Document Details
Issue:
We're running CA Access Gateway (SPS), when user access to the Partnership
Office365 - Azure AD from a Windows 10 workstation, the
authentication fails, and the CA Access Gateway (SPS) windows even
log reports error :

  Get user realm failure. Status: 0xC000023C Correlation ID:
  9384A23C-CA75-4DAD-AF67-0D4779C659C8

How can we fix that ?
Environment:
  Policy Server 12.52SP1CR00 on RedHat 6 64bit; 
  CA Access Gateway (SPS) 12.52SP1CR04 on RedHat 6 64bit; 
  User Store on Active Directory; 
 
Resolution:
As per Microsoft suggestion, add the following :

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};userPrincipalName;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");

and also vote on the enhancement request here to get this integration
fully QA'd and supported on our side.

Vote for support of the full integration of CA Single Sign-On with
Office 365 and Windows 10 in Azure environment :

Office 365 and Windows 10 - Domain join via CA SSO 
https://communities.ca.com/ideas/235740879-office-365-and-windows-10-domain-join-via-ca-sso