ECP authentication for Office365 federation

Cantor, Scott cantor.2 at
Sun Nov 4 11:46:09 EST 2012

On 11/3/12 3:43 PM, "Mauro Minella" <Mauro.Minella at> wrote:

>As a matter of facts, I¹m now able to get any federated users (like
>mark.twain at authenticated on Outlook Online
>( As you know, this concerns
> PASSIVE authentication.

Passive in SAML != passive in Microsoft's world. You mean "browser-based",
I think. Passve in SAML means "no interaction with user".

>In fact, my users need to get authenticated even with ACTIVE clients
>(like Outlook 2010). I believe could setup ECP quite correctly, in fact
>when the users run the Outlook 2010 Wizard to create their profile, they
> username (mark.twain at + password (abc123ABC)
>and my Shibboleth IDP seems correctly authenticating them (pls see my
>logs below).

Yes, that would indicate at least as far as the IdP is concerned, its work
is done.

> However, on the client side it seems that the user is NOT authenticated
>because the username/password dialog box keeps being presented.

That's an application issue, not a topic for this list. I don't know how
to debug the application side here, but that would be a Microsoft question.

My guess is that attributes released aren't lining up with what the SP in
question wants to get, so it's not able to log the client in, returns
failure, and so the client prompts again.

-- Scott

More information about the users mailing list