Azure AD without ADFS

[Peter Schober]

* Admin IFMSA-Sweden <admin at ifmsa.se> [2017-05-02 17:29]:
> We have a portal for Dynamics 365 using multiple external identities
> for sign-in, e.g. Shibboleth IdP and ADFS. More info regarding the
> SP can be found here:
> https://www.microsoft.com/en-us/dynamics/crm-setup-and-administration/set-authentication-identity-for-a-portal.aspx <http

OK, so that's an application hosted (SaaS) by Microsoft "unifying the
capabilities of CRM business software and ERP systems".
And you're trying to connect SAML IDPs to that, presumably those of
academic institutions? Then the protected resource would have to be
able to act as a SAML 2.0 Service Provider. The page doesn't say
anything about SAML, and the screenshot in section "Manage external
accounts" only lists:
Facebook, Google, Windows Live™ ID, WS-Federation, Yahoo!
One or two tings here are protocols, the rest IDPs. None are about SAML?

> We have not found this portal to be capable to consume Shibboleth
> IdP Federation with IdP Discovery Service which requires signing of
> keys and certificates. Even though we are still trying to find ways
> to connect through Shibboleth IdP Discovery Service (i.e. Proxy
> IdP), we look at same time other ways to achieve almost the same
> result

Are you saying you're able to hook up individual SAML 2.0 IDPs
(possibly of the Shibboleth implementation, but that's really
irrelevant here) to that resource and use them for externalized
authentication and authorization?  And that the product does not allow
consuming definitions of SAML 2.0 IDPs in machine-readable format
(i.e., via SAML 2.0 Metadata)?  Or that you can define many SAML IDPs
in the product but that you have no way to select a specific IDP?

Totally guessing based solely on some of the words you used.
-peter