Office 365 + Shibboleth ?

Rob Gorrell rwgorrel at
Wed Oct 11 20:15:42 EDT 2017

We are a school that has federated AAD using Shibb/SAML and stuck with that
approach since we started with O365. The integration itself was relatively
straightforward as long as you don't mind some very basic PowerShell and of
course forgoing things like encrypted assertions. Usability was initially a
rocky road prior to Office 2016 and modern authentication, but since then,
we've had no problem signing into Office apps using SAML... both on the Mac
and PC sides. In the interest of full disclosure, we have turned off
Exchange Online (we are a Google Apps school for email), so avoid many
problems there. But in terms of using the mainstream apps (Word, Excel,
Powerpoint Online, OneDrive, Skype for Business) we're all good.

Things I've noticed that are still problemmatic for us without ADFS... we
cannot Azure AD join a Win 10 box for Entune management, that is one of the
bigger ones for us at the moment. We are also looking to do more in the
Azure Cloud where federating with SAML might pose a problem... for
instance, SQL PaaS... database authentication works with AAD, but only with
password sync or ADFS. Things like that.


On Wed, Oct 11, 2017 at 4:58 PM, Robert Rust <robert.j.rust at> wrote:

> A couple of questions around Office 365 with Shibboleth authentication.
> I’m looking at options for our setup as we need to implement multi-factor
> authentication and I at the very least need to replace our ADFS 2.0
> installation.  I’ve found information on upgrading ADFS, but given we’re
> focusing on Shib for our other apps, I’d prefer to switch to Shibboleth
> since setting up the same level of availability with ADFS that we already
> have for Shib would be more of a challenge I think.
>    1. For those of you using Shib + Office 365, have you found any setups
>    that routinely don’t work or other gotchas?  I saw traffic a while back
>    suggesting that activation of desktop installations of Office software on
>    Macs didn’t work. I also recall reading somewhere that the Shib signing
>    certificate would need to be a commercially issued one in order to work
>    with Office 365.
>    2. Were there any guides that you used to set it up in the first
>    place? The closest I’ve found is a guide for Dynamics 365 (
>    engagement/portals/configure-saml2-settings)
>    <>
> I do have a test environment I can break things in to try this out, but
> I’d prefer not to fly blind.
> Robert
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Robert J. Rust
> Systems Administrator
> Division of Technology Services
> Univ. of Wisc. - River Falls
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> [image:]
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

Robert W. Gorrell
IT Manager, Identity and Access Management
University of NC at Greensboro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list