ADFS Shibboleth question

Rupprecht, James R. jimrupprecht at
Fri Apr 11 11:59:15 EDT 2014

>> Hello,
>> The University of Kansas using Shibboleth IdP to authenticate our users, now 
>> we are adding ADFS as IdP to authenticate user for o365, the consultant from 
>> MS told us that after ADFS success authentication, shib IdP can obtain the 
>> token issued by ADFS, so user does not require login to shib protected 
>> resources.

> I thought I recently read that Microsoft was supporting SAML / Shibboleth for 
> O365. Maybe you can just do this and be done with it, without needing ADFS 
> at all?

Parts of O365 work with SAML, but other things do not. If all you are interested in is http/s and certain email protocols SAML/Shib is perfect. 

If, however, you want to use things like the Lync client, Office applications, PowerShell for management and provisioning, the desktop connector, Outlook or mobile clients, you need to support ADFS as well as these things only do WS-Trust and WS-Fed. (updated March 06, 2014)

One thing that was not in the original list of requirements here... The end goal is to allow users who have already authenticated using CAS/Shib to not have to reenter their credentials again for ADFS. Both directories (Active Directory being used by ADFS and LDAP being used by Shib) have identical user data including the users' CNs and passwords so mapping between them *should* be fairly straightforward. 

Jim Rupprecht
Enterprise IT Architect
KU Information Technology

More information about the users mailing list