Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

Greg Haverkamp gahaverkamp at
Thu Mar 22 14:19:22 EDT 2018

On Thu, Mar 22, 2018 at 8:54 AM, Hohberg, Paul <phohberg at> wrote:

> Has anyone successfully implemented Office 365 Shibboleth SSO using SAML
> 2.0 (not just ECP) with an LDAP (not AD) authentication backend? Would you
> be willing to share how it was done, even if at a high level or point me to
> any related documentation?
> It seems that Office 365 requires an immutableID attribute that is mapped
> to GUID when AD is used for authentication. We're considering if this can
> be mapped to an attribute in LDAP that Office 365 would accept.

Yes.  They don't care.

We basically followed this:

And used a different local, unique attribute.  We also followed the MS
documentation that Carl linked to.  (Our Office365 admin was apparently
incapable of doing so, despite our repeated requests that he stop
contacting MS support and just do what we were telling him to do.)


> Microsoft documentation provides this attribute-resolver example for
> immutableID and GUID with AD.
> <!-- Use AD objectGUID for ImmutableID -->
> <resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>           sourceAttributeID="objectGUID">
>    <resolver:Dependency ref="myLDAP" />
> Thanks in advance,
> *Paul Hohberg*
> *Systems Engineer*
> *UCLA Information Management Services*
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list