federated auth with Microsoft Office 365

Cantor, Scott cantor.2 at osu.edu
Wed Aug 15 16:54:05 EDT 2012

On 8/15/12 4:35 PM, "Paul B. Henson" <henson at csupomona.edu> wrote:
>This seems very kludgy 8-/. Despite apparently belonging to Incommon, it
>appears Microsoft requires individual and separate configuration of
>metadata for the office 365 SP. They also insist on a unique relying
>party and their own special attributes.

If you haven't already encountered such a case, you're fairly early in
your federating efforts, or very strict.

The reason they need the custom RP is at minimum I guess the encryption
thing, and I have several vendors like that. Service-Now for example.
That's not really that big of a deal, you can't really expect that every
SP will have exactly the same SAML requirements.

The metadata thing is not really that inconvenient for *you* to load
theirs, but rather the fact that they can't load yours usefully. With the
ADFS piece in the middle, you might be able to offload that mess to your
ADFS team, since the only operational relationship you have is with it.
That just moves the problem, though.

Only you (or your mgmt) can decide what you're willing to do, of course.

>My initial inclination is to just tell them to go ahead and deploy ADFS
>and avoid contaminating my current nice clean shibboleth configuration
>:). I would though be curious for any feedback from people that have
>tried to implement this.

I suppose if you have the luxury of punting the ADFS piece to some other
group, that might be attractive. I would most likely not, so then it's a
choice between running what I already have, and adding ADFS. That's a
somewhat easier question to answer.

Anyway, I haven't implemented O365, but the issues you're talking about
come up all the time and I have done it, because what's my alternative?

All the Google Apps sites are in the same boat (plus all the other broken
things Google does).

If you want to hear a bad one, I have a vendor that refuses to accept my
self-signed certificate. I am considering actually sending them the
self-signed one and seeing if they notice.

-- Scott

More information about the users mailing list