Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

Hohberg, Paul phohberg at
Thu Mar 22 17:41:08 EDT 2018

Many thanks to all for your responses. All of these docs have helped to complete the picture. The Shibboleth wiki integration guide looks like an excellent resource.



From: users <users-bounces at> on behalf of Greg Haverkamp <gahaverkamp at>
Sent: Thursday, March 22, 2018 11:19:22 AM
To: Shib Users
Subject: Re: Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

On Thu, Mar 22, 2018 at 8:54 AM, Hohberg, Paul <phohberg at<mailto:phohberg at>> wrote:

Has anyone successfully implemented Office 365 Shibboleth SSO using SAML 2.0 (not just ECP) with an LDAP (not AD) authentication backend? Would you be willing to share how it was done, even if at a high level or point me to any related documentation?

It seems that Office 365 requires an immutableID attribute that is mapped to GUID when AD is used for authentication. We're considering if this can be mapped to an attribute in LDAP that Office 365 would accept.

Yes.  They don't care.

We basically followed this:

And used a different local, unique attribute.  We also followed the MS documentation that Carl linked to.  (Our Office365 admin was apparently incapable of doing so, despite our repeated requests that he stop contacting MS support and just do what we were telling him to do.)


Microsoft documentation provides this attribute-resolver example for immutableID and GUID with AD.

<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
   <resolver:Dependency ref="myLDAP" />

Thanks in advance,

Paul Hohberg
Systems Engineer
UCLA Information Management Services

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list