Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

Hohberg, Paul phohberg at
Thu Mar 22 11:54:14 EDT 2018

Has anyone successfully implemented Office 365 Shibboleth SSO using SAML 2.0 (not just ECP) with an LDAP (not AD) authentication backend? Would you be willing to share how it was done, even if at a high level or point me to any related documentation?

It seems that Office 365 requires an immutableID attribute that is mapped to GUID when AD is used for authentication. We're considering if this can be mapped to an attribute in LDAP that Office 365 would accept.

Microsoft documentation provides this attribute-resolver example for immutableID and GUID with AD.

<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
   <resolver:Dependency ref="myLDAP" />

Thanks in advance,

Paul Hohberg
Systems Engineer
UCLA Information Management Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list