IdP-Initiated with Office 365
kevin at thenext.net
Mon Sep 10 07:39:47 EDT 2018
It appears it tries to sign me into Office 365 but then I get this message
Sorry, but we’re having trouble signing you in.
AADSTS51004: To sign into this application the account
AAdzZWNyZXQx7HMxE6qicIZSOj9QzKVS.....+rUOUj91x5MsYdMZ0tib50s6FCFGB must be
added to the 8f42c016-.....-772a011c3b99 directory.
On Fri, Sep 7, 2018 at 11:39 PM Nate Klingenstein <ndk at sudonym.me> wrote:
> Excuse me, 3A, not 3B.
> On Sat, Sep 8, 2018 at 2:51 AM, Nate Klingenstein <ndk at sudonym.me> wrote:
>> I suspect that something like the below would work, but I don't have an
>> account nor an IdP I can use to test it with.
>> Federated identity in general means fewer logins(but as many or more
>> sessions total) but the number of logins does not depend on whether the IdP
>> or SP initiates the process. The number of logins depends on the IdP's
>> session management and whether a current session exists for the user that
>> satisfies a request issued by the SP.
>> Unsolicited SSO may obviate the need to do IdP discovery, which would be
>> the only reduction in required user interaction. That's a win, but
>> unsolicited SSO comes with other trade-offs. You may need to end up
>> supporting IdP discovery and SP-initiated SSO for Microsoft's native
>> applications anyway. It's worth reading through this Wiki article.
>> The only data transmitted in the assertion is the user's objectGUID and a
>> mysterious identifier known as IDPEmail, and the SAML assertion itself
>> would be considered the credential from the SP's point of view. Most of
>> the heavy provisioning lifting is done by the descendant of DirSync.
>> Hope this helps,
>> On Fri, Sep 7, 2018 at 10:40 PM, Kevin <kevin at thenext.net> wrote:
>>> How would one use IdP-Initiated SSO with Shibboleth and Office 365? In a
>>> university settings would this not be fewer logins? Would their be a URL
>>> nomenclature that one would use to pass the credentials to the SP?
>>> Sent from:
>>> For Consortium Member technical support, see
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users