IdP-Initiated with Office 365

Nate Klingenstein ndk at
Fri Sep 7 22:51:25 EDT 2018


I suspect that something like the below would work, but I don't have an
account nor an IdP I can use to test it with.

Federated identity in general means fewer logins(but as many or more
sessions total) but the number of logins does not depend on whether the IdP
or SP initiates the process.  The number of logins depends on the IdP's
session management and whether a current session exists for the user that
satisfies a request issued by the SP.

Unsolicited SSO may obviate the need to do IdP discovery, which would be
the only reduction in required user interaction.  That's a win, but
unsolicited SSO comes with other trade-offs.  You may need to end up
supporting IdP discovery and SP-initiated SSO for Microsoft's native
applications anyway.  It's worth reading through this Wiki article.

The only data transmitted in the assertion is the user's objectGUID and a
mysterious identifier known as IDPEmail, and the SAML assertion itself
would be considered the credential from the SP's point of view.  Most of
the heavy provisioning lifting is done by the descendant of DirSync.

Hope this helps,

On Fri, Sep 7, 2018 at 10:40 PM, Kevin <kevin at> wrote:

> How would one use IdP-Initiated SSO with Shibboleth and Office 365?  In a
> university settings would this not be fewer logins?  Would their be a URL
> nomenclature that one would use to pass the credentials to the SP?
> --
> Sent from:
> f1660767.html
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list