Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

Thu Mar 22 13:45:10 EDT 2018

This link might also help too.  It describes what the required attributes 
are and what the values should be.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327

On Thu, 22 Mar 2018, Carl Waldbieser wrote:

> Paul,
>
> We've enabled SAML2 SSO with O365, and we don't have AD (our enterprise directory is OpenLDAP).
> We don't use Exchange for email.  We're only really allow the community to use the office tools, OneDrive, and a few other products.
>
>
> We're a banner school, so we already have the Banner SPRIDEN_ID (aka "L-Number") in our directory.  We just have the IdP release that value as the immutableID attribute.
>
> As far as setting up SSO, there is some black magic that involves running some Windows Powershell commands.  I have notes for what I did, but it looked very similar to this link from Microsoft:
>
>  https://msdn.microsoft.com/en-us/library/azure/jj205457.aspx
>
> Thanks,
> Carl Waldbieser
> ITS Identity Management
> Lafayette College
>
> ----- Original Message -----
> From: "Hohberg, Paul" <phohberg at it.ucla.edu>
> To: "Shib Users" <users at shibboleth.net>
> Sent: Thursday, March 22, 2018 11:54:14 AM
> Subject: Office 365 Shibboleth SAML 2.0 SSO with LDAP backend
>
> Has anyone successfully implemented Office 365 Shibboleth SSO using SAML 2.0 (not just ECP) with an LDAP (not AD) authentication backend? Would you be willing to share how it was done, even if at a high level or point me to any related documentation?
>
>
>
>
> It seems that Office 365 requires an immutableID attribute that is mapped to GUID when AD is used for authentication. We're considering if this can be mapped to an attribute in LDAP that Office 365 would accept.
>
>
>
>
> Microsoft documentation provides this attribute-resolver example for immutableID and GUID with AD.
> <!-- Use AD objectGUID for ImmutableID -->
> <resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>          sourceAttributeID="objectGUID">
>   <resolver:Dependency ref="myLDAP" />
> [ https://technet.microsoft.com/en-us/library/jj205463 | https://technet.microsoft.com/en-us/library/jj205463 ]
>
> Thanks in advance,
> Paul Hohberg
> Systems Engineer
> UCLA Information Management Services
>
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>