Second Office365 Domain requires different "Issuer URI"

adam.crump at adam.crump at
Thu Oct 12 18:51:07 EDT 2017

I have just stumbled upon this issue myself.  I would like to offer this
alternative responderStrategy that can be managed completely in the
relying-party.xml using an inline script.  The uri for 0365 can be pretty
much anything you want as long as it is a properly formatted uri, it does
not have to be internet reachable.  The idea is to use a url parameter to
get Shib to changed the issuerid to the same value that is configured for
uri for the domain in o365

Office 356 setup
Domain 1
$dom = "”
$url = ""
$ecpUrl = ""
$uri = ""

Domain 2
$dom = "”
$url =
$ecpUrl =
$uri = ""

Shibboleth IDP responderIdLookupStrategy and dependent beans
    <util:map id="microsoftOnlineRespondersIdMap">
        <entry key="default"
value=" />
        <entry key="contoso" value="" />
<entry key="" value="" />

    <util:map id="customObjectsMicrosoftOnlineResponderIdScript">
        <entry key="httpServletRequest"
value-ref="shibboleth.HttpServletRequest" />
        <entry key="microsoftOnlineRespondersIdMap"
value-ref="microsoftOnlineRespondersIdMap" />

    <bean id="microsoftOnlineResponderIdScript"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"

Sent from:

More information about the users mailing list