federated auth with Microsoft Office 365

Cantor, Scott cantor.2 at osu.edu
Thu Aug 16 23:09:21 EDT 2012

On 8/16/12 10:47 PM, "Paul B. Henson" <henson at csupomona.edu> wrote:
>Our windows group owns office365 too, so even without ADFS they'll be in
>charge of configuring it. It looks like you have to run some powershell
>to set up the federation config on the office365 side, part of which is
>loading the shibboleth certificate.

ADFS doesn't support multi-entity metadata files such as InCommon uses. I
believe the Powershell bit strips out the entity that's desired, and
probably limits some other things that break it.

>Yup ;). The windows group claims if we use ADFS there will be more
>clients supported than if we use shiboleth, which might be a factor.

I believe this is true. In at least one case, this could be addressed with
a WS-Fed Passive Profile plugin for the IdP, which never got ported from
1.3 because nothing used it.

However, I think the non-web support they offer is proprietary WS-Trust
stuff that wouldn't be supportable as easily, nor is it probably
documented anywhere what it is on the wire. How this overlaps with what
they did with ECP is unclear to me. Some of it is similar in form
(basic-auth in Outlook), but it wouldn't be the same protocol, so I don't
know if it's in addition, instead of, dropped, etc.

-- Scott

More information about the users mailing list