Second Office365 Domain requires different "Issuer URI"

Cantor, Scott cantor.2 at
Mon May 2 17:44:47 EDT 2016

> In other words, if my new providerId is mentioned in the last listed relying
> party then my first office365 domain is broken even though potentially my
> second one would be working.  So I guess what they are asking is, is there a
> way to customize the saml token / assertion depending on the domain of the
> user logging in (or through any sort of programmatic check) so that I can send
> a different issuer/entityId to them depending on who is logging in (or other
> check)?

It can be dynamic to a point (in V3), but unless you can determine which one to use solely based on what's in the AuthnRequest, I don't think it would be able to differentiate. It can't wait until the user's identified to make that decision, that's too late.

> Anyone have any thoughts on how to make this work with a single
> IdP?  I am still running IdP 2.x, by the way, but obviously will need to migrate
> to 3.x within the coming months.

You cannot do this with V2.

> I am afraid this is a task which is not that easy and entirely depends on how
> flexible Shibboleth can be while providing the SAML token to O365.

Meaning it's supposed to be psychic? How exactly is it supposed to know? I'm really not seeing how you can determine what to do here. Unless maybe it identifies something in RelayState, in which case, yes, you could do it. It's ugly, but it's possible.

-- Scott

More information about the users mailing list