I was recently working on an Office 365 environment with the following characteristics:
- Federated authentication
- Multiple top level domains
- Multiple sub domains
When adding multiple top level domains, you are required to use the SupportMultipleDomain switch when converting the domains to federated. This allows each domain to authenticate to Office 365 successfully.
When adding sub domains, you may find you get the following error when trying to authenticate:
A quick google of the error turns up some posts to help solve the error:
This was a great starting point, we tried to implement the modified claim rule but unfortunately still had the same error. After a bit more digging, I wanted a way to test this safely without impacting production services a second time, and ended up finding this RegEx editor. Extracting the RegEx from the customised claim rule allows you to find the match that will be passed as Issuer URI back to Office 365. The item below shows the extracted RegEx from the blog post above.
This lets you start matching and modifying the RegEx to ensure the rule will be successful when implemented in production. The screenshots below show some examples of this. Note: sub domains should pass the top level domain as Issuer URI. This contains a lot more information on multiple domains and sub-domains.
Group #4 shows the value that will be passed back to Office 365 based on the RegEx above. If your claim rule is slightly different you should be able to figure out which group is the one that will be used for the claim.
This lets you start modifying the RegEx until you find a match, meaning when implemented in the claim rule, it will pass the valid Issuer URI to Office 365.
My particular issue in this case was making the RegEx match both “domain.wa.edu.au” and “sub.domain.edu.au”, it was definitely handy having this in place to test it before implementing in production!