Non-web Clients

lalith jayaweera j_lalith at
Tue Aug 4 03:28:08 EDT 2015

Thanks Mathew, 

Where exactly it states that "Office365's implemention of ECP will take the "local 
part" of the O365 UPN " you mean firstname.lastname considering below? 

in our case the UPN is firstname.lastname at 
How about yours? 

The reason I felt email is the only option as the username because, even if you try to create a outlook mail profile on your desktop, first thing it prompt is email address. 

Our Web SSO (shibboleth + Office 365) works fine, just that for ECP, we want to figure it out the best way of testing, 

How did you really test the ECP/Shibboleth with Office 365? Which non-web client you used? iPhone etc? 

Also regarding Office 365 Web initiative, I still dont see any official announcements even thought there are many iPhone appls geared with Web SSO. 

Still I believe ECP should be on considering other needs which have not been ruled out yet.



> Date: Mon, 3 Aug 2015 08:43:49 +0100
> From: m.slowe at
> To: users at
> Subject: Re: Non-web Clients
> On Thu, Jul 30, 2015 at 05:18:30AM +0000, lalith jayaweera wrote:
> > When setting up Shibboleth with Basic Http authentication for ECP, to
> > check Office365, is it correct to state login 'username' will be email.
> > Hence in the apache block for the ECP, the AuthLDAPURL will be something
> > like below.
> > 
> > AuthLDAPURL [1]ldap://,dc=example,dc=org?mail
> > 
> > because Looking at lot of non-web thick clients, e.g. Office365 clients,
> > outlook profiles, etc.
> > 
> > they all start with email address as the username during the set up
> > progress, because I did not get any hit to the IdP server at all.
> In my experience, Office365's implemention of ECP will take the "local
> part" of the O365 UPN to use as the username in the Basic Auth part of
> the ECP call (test at -> "test").
> > Issue is our current Web SSO is, the username is 'UID' (staffId) not email
> > address. Is it possible to facilitate both?
> We use two different ports for the two authentication types -- the
> interactive "Web" traffic uses 443 and does an internal SSO type logon
> for seamless access to O365 while the ECP traffic uses 8443 and uses an
> LDAP config as you have mentioned. See "ActiveLogon" and "PassiveLogon"
> URIs in the Set-MSOLDomainFederationSettings cmdlet[*].
> I don't think you can have an AuthLDAPURL which allows you to match one
> username against two different attributes.
> [*]
> -- 
> Matthew Slowe | Server Infrastructure Officer
> IT Infrastructure, Information Services, University of Kent
> Room S21, Cornwallis South
> Canterbury, Kent, CT2 7NZ, UK
> Tel: +44 (0)1227 824265 
> | @UnikentUnseenIT | @UKCLibraryIt
> PGP:
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list