Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

Hohberg, Paul phohberg at it.ucla.edu
Thu Mar 22 17:41:08 EDT 2018 

Many thanks to all for your responses. All of these docs have helped to complete the picture. The Shibboleth wiki integration guide looks like an excellent resource.


Thanks,

Paul

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Greg Haverkamp <gahaverkamp at lbl.gov>
Sent: Thursday, March 22, 2018 11:19:22 AM
To: Shib Users
Subject: Re: Office 365 Shibboleth SAML 2.0 SSO with LDAP backend

On Thu, Mar 22, 2018 at 8:54 AM, Hohberg, Paul <phohberg at it.ucla.edu<mailto:phohberg at it.ucla.edu>> wrote:

Has anyone successfully implemented Office 365 Shibboleth SSO using SAML 2.0 (not just ECP) with an LDAP (not AD) authentication backend? Would you be willing to share how it was done, even if at a high level or point me to any related documentation?


It seems that Office 365 requires an immutableID attribute that is mapped to GUID when AD is used for authentication. We're considering if this can be mapped to an attribute in LDAP that Office 365 would accept.

Yes.  They don't care.

We basically followed this: https://wiki.shibboleth.net/confluence/x/BoFKAQ

And used a different local, unique attribute.  We also followed the MS documentation that Carl linked to.  (Our Office365 admin was apparently incapable of doing so, despite our repeated requests that he stop contacting MS support and just do what we were telling him to do.)

Greg



Microsoft documentation provides this attribute-resolver example for immutableID and GUID with AD.

<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
          sourceAttributeID="objectGUID">
   <resolver:Dependency ref="myLDAP" />

https://technet.microsoft.com/en-us/library/jj205463


Thanks in advance,

Paul Hohberg
Systems Engineer
UCLA Information Management Services

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180322/7d52dea2/attachment.html>

More information about the users mailing list