Office 365 App Registration Strange issue on Mac

Lalith Jayaweera ljayaweera at
Fri Aug 4 02:26:52 EDT 2017

Hi Scott,

Thanks for the reply

For below "SAML2.SSO" i want to dynamically set the
p:authenticationFlows,Shibcas for all the OS except mac and Password flow
for Mac

I had a look

but cannot see any sample, with deals with servlet request etc....

Any other sample or guidance appreciated, so that I can have head start.
  can we do inline.?

Also can you give some reference on 'CAS support in the IdP' eventhough I
consider it as not practical, because our current CAS page initiates other
pwd management flows in addition to the authentication.

 <bean parent="RelyingPartyByName"
            <property name="profileConfigurations">
         <bean parent="SAML2.SSO" p:encryptAssertions="false"
p:signAssertions="true" p:signResponses="false" p:encryptNameIDs="false"
p:authenticationFlows="#{{'Shibcas'}}" />
         <bean parent="SAML2.ECP" p:encryptAssertions="false"
p:signAssertions="true" p:signResponses="false"
p:authenticationFlows="#{{'Password'}}"  />


On Fri, Aug 4, 2017 at 9:15 AM, Cantor, Scott <cantor.2 at> wrote:

> On 8/3/17, 6:35 PM, "users on behalf of Lalith Jayaweera" <
> users-bounces at on behalf of ljayaweera at> wrote:
> > If we change this SP to use Password flow, they will be presented with
> the IDP login screen, not CAS login screen hence it is not
> > SSO and user experience will be different.
> I forgot that all the O365 traffic would be handled the same way. I should
> also say that our people at OSU refused to use Shibboleth for O365 and are
> using ADFS, so we have two experiences now, no SSO, and the world didn't
> exactly end. Nobody much cares based on the reaction so far.
> Or you could use the CAS support in the IdP. There is little sense in
> running two systems at this point in their mutual evolution.
> However...
> > So my question is, given this is only happening in Mac, at least to
> narrow down the issue, within the relying party, is there any way
> > to detect whether request from Mac etc (possibly via userAgent or by
> othermeans) and direct to the Password Flow, I don't
> > think any need of SSO for this particular function where all happening
> inside a embedded window.
> I don't know what you could detect reliably or not, but if you want to
> dynamically derive the value of the authenticationFlows property at runtime
> to limit when it flips over the "Password", yes, you can do that. That's
> documented with examples in the wiki in the page on
> RelyingPartyConfiguration under "Overriding Default Settings Dynamically".
> Functions/scripts deriving settings can be given access to the servlet
> request object as a custom object and from there do user agent evaluation,
> etc.
> > As a side note, I am going to query(raise an incident) Microsoft about
> this particular behavior happening inside Embedded UI
> > view, however I might not have a answer if they ask, what exactly the
> cookies you think missing etc.
> The only person who could answer that is you because you are the one with
> access to the affected systems and the access to trace the traffic
> sequence. Usually even Firefox and LiveHeaders alone are good enough to
> spot cookies dropping.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list