Office 365 + Shibboleth ?

Thu Oct 12 07:26:46 EDT 2017

Hi All,

I came across all these issues as well - I think this is a pretty good summary and it would be great to get the wiki updated.

Mostly recently I came up against the requirement for unique URI settings when setting up SSO for multiple e-mail domains.
We ended up deploying a second IdP instance using a different port, which made the entity ID unique.
I looked at doing something dynamic with a single instance but felt it was potentially too involved and I didn’t have the time to spend on it.

We also had to configure basic authentication for ECP and have had issues with Mac’s registering desktop software. I’ll definitely check out the configuration that Nate referenced.

Thanks,

Tom O’Neill

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Rob Gorrell
Sent: Wednesday, October 11, 2017 8:16 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Office 365 + Shibboleth ?

We are a school that has federated AAD using Shibb/SAML and stuck with that approach since we started with O365. The integration itself was relatively straightforward as long as you don't mind some very basic PowerShell and of course forgoing things like encrypted assertions. Usability was initially a rocky road prior to Office 2016 and modern authentication, but since then, we've had no problem signing into Office apps using SAML... both on the Mac and PC sides. In the interest of full disclosure, we have turned off Exchange Online (we are a Google Apps school for email), so avoid many problems there. But in terms of using the mainstream apps (Word, Excel, Powerpoint Online, OneDrive, Skype for Business) we're all good.
Things I've noticed that are still problemmatic for us without ADFS... we cannot Azure AD join a Win 10 box for Entune management, that is one of the bigger ones for us at the moment. We are also looking to do more in the Azure Cloud where federating with SAML might pose a problem... for instance, SQL PaaS... database authentication works with AAD, but only with password sync or ADFS. Things like that.
-Rob

On Wed, Oct 11, 2017 at 4:58 PM, Robert Rust <robert.j.rust at uwrf.edu<mailto:robert.j.rust at uwrf.edu>> wrote:
A couple of questions around Office 365 with Shibboleth authentication. I’m looking at options for our setup as we need to implement multi-factor authentication and I at the very least need to replace our ADFS 2.0 installation.  I’ve found information on upgrading ADFS, but given we’re focusing on Shib for our other apps, I’d prefer to switch to Shibboleth since setting up the same level of availability with ADFS that we already have for Shib would be more of a challenge I think.

  1.  For those of you using Shib + Office 365, have you found any setups that routinely don’t work or other gotchas?  I saw traffic a while back suggesting that activation of desktop installations of Office software on Macs didn’t work. I also recall reading somewhere that the Shib signing certificate would need to be a commercially issued one in order to work with Office 365.
  2.  Were there any guides that you used to set it up in the first place? The closest I’ve found is a guide for Dynamics 365 (https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/configure-saml2-settings)

I do have a test environment I can break things in to try this out, but I’d prefer not to fly blind.

Robert

--
~~~~~~~~~~~~~~~~~~~~~~~~~
Robert J. Rust
Systems Administrator
Division of Technology Services
Univ. of Wisc. - River Falls
~~~~~~~~~~~~~~~~~~~~~~~~~
[https://www2.uwrf.edu/static/images/email-wordmark.png]

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
Robert W. Gorrell
IT Manager, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171012/a8ed9c4c/attachment-0001.html>