Office 365 + Shibboleth ?

Klingenstein, Nate nklingenstein at
Wed Oct 11 17:37:21 EDT 2017

There is also:

I'd encourage additions of things you'd find useful there if you find the time.

Our "learning" episodes have all been around the ECP support, which, for instance, issues slightly different authentication requests than the web front end.  It also will not authenticate through NTLM and in our instance specifically required Basic authentication.  Autodiscovery for email clients adds its own layer to the adventure.

I also understand there recently evolved an ECP client for Mac that is issuing authentication requests with a forcing flag; something of a bug in the application that you'll need to handle that I believe will be patched in the application in due time.  I can't remember which one it is, but you'll want to honor forced ECP authentication requests in your configuration at least for now and probably for the foreseeable future.

From: users <users-bounces at> on behalf of PHILIP SCOTT SWANZY <pss127 at>
Sent: Wednesday, October 11, 2017 2:16:52 PM
To: Shib Users
Subject: Re: Office 365 + Shibboleth ?

We had worked through some of the shibboleth integration and are only now expanding our o365 offering. We only use Azure AD basic with an on site Active Directory and Shibboleth implementation. The best documentation i found was

Shibboleth configuration:

o365 Configuration: Set up a trust between Shibboleth and Azure AD

We have found that on the the trust side in Azure required us to only set each setting 1 at a time as for some reason we cannot get the powershell command to take all of the settings. For some reason it just fails silently but adding one at a time worked. Also, if you have a test tenant, the $uri must be unique name, which means you cannot have a test and production tenant that uses your production shib uri name as it will error out on you. One other gotcha we have not verified is, currently when we run these commands, it still required us to initially set the adfs context when enabling federation. We had to do that first then switch to shibboleth.

We are in the middle of testing our ECP configurations with o365 as well as office installations. So far though, authentication to our single sign on has worked cross platform on all current versions of windows and MAC including iOS to leverage the office online capabilities. Since we do not use Azure AD premium, we have no idea about the issues with joins or anything associated with credentials held in the Azure AD as all our passwords are on prem.

Philip Swanzy
Identity and Access Management
The Pennsylvania State University
Technology Support Building
State College PA 16803
pss127 at

Calendar Free/busy:

From: "Robert Rust" <robert.j.rust at>
To: users at
Sent: Wednesday, October 11, 2017 4:58:02 PM
Subject: Office 365 + Shibboleth ?

A couple of questions around Office 365 with Shibboleth authentication. I’m looking at options for our setup as we need to implement multi-factor authentication and I at the very least need to replace our ADFS 2.0 installation.  I’ve found information on upgrading ADFS, but given we’re focusing on Shib for our other apps, I’d prefer to switch to Shibboleth since setting up the same level of availability with ADFS that we already have for Shib would be more of a challenge I think.

  1.  For those of you using Shib + Office 365, have you found any setups that routinely don’t work or other gotchas?  I saw traffic a while back suggesting that activation of desktop installations of Office software on Macs didn’t work. I also recall reading somewhere that the Shib signing certificate would need to be a commercially issued one in order to work with Office 365.
  2.  Were there any guides that you used to set it up in the first place? The closest I’ve found is a guide for Dynamics 365 (

I do have a test environment I can break things in to try this out, but I’d prefer not to fly blind.


Robert J. Rust
Systems Administrator
Division of Technology Services
Univ. of Wisc. - River Falls

To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list