Office 365 Integration with IdP

Glanville, Peter C. pcglanville at
Tue Sep 3 13:16:34 EDT 2019

I have a development environment where we are bringing up Office 365 (Azure AD) as a relying party. The TL:DR version is that it "appears" that I have setup things correctly. But I am running into some weird problems getting any accounts logged in and I wanted to see if anyone here knows any Azure AD logging or other to see what the possible issues might be on the O365 side. I am currently not getting any errors on the IdP side so it is "working" but I feel like I am not passing the NameID correctly (objectGUID aka ImmutableID) or something else is amiss.

Things I am unsure about:

·         When I release my objectGUID as ImmutableID (our AzureAD Sync was configured this for originally) OR when I release the objectGUID through my local test SP, the characters appear to be garbled. Something like:

o    [cid:image002.png at 01D56259.BB56FFB0]

o   This occurs when I just release it normally through my test SP.

o   Is there something I am not doing that would cause this, or is this expected behavior?

·         The other thing I am running into is that when I attempt to login:

o   I get passed to the IdP, but after a successful login, I am taken right back to the MS login screen where I put in my email address (UPN) to get passed over to the IdP again. I assume this is because while the IdP said that the login succeded, the NameID (ImmutableID) don't match the ImmutableID in AzureAD and is bouncing the login?

·         I have looked around, but are there any other logs or places in AzureAD I can see the AzureAD side of the transaction to figure out what is going on?

·         Are there any other resources for Office 365 configuration and Troubleshooting?

Longer version:

·         Have IdP running on Windows Server 2019 with openJDK 11.0.2

·         I have a local test SP that works correctly and I have successfully tested releasing attributes through it.

·         For office 365 I have a federated test domain ( that is setup for the dev IdP.

o   I have a test account whose UPN matches

o   The test account is synced to O365 and is visible.

·         I used the Shib KB Guide for O365 + The Microsoft github version noted at the bottom of the Integration Guide to setup O365.

·         Where I am right now is:

o   I put in the test account into O365

o   I am forwarded to my IdP Login page

o   When I put in my credentials for the test account. I am replying with what "appears" to be the correct attributes:

§  [cid:image001.png at 01D56257.F946A110]

o   But I am looped back to the MS portal login page. I *think* because something is off with my objectGUID.

§  [cid:image002.png at 01D56259.BB56FFB0]

Thank you all for any assistance you can render.

Peter Glanville
Enterprise Infrastructure Manager
Office of Information Technology
Marie V. McDemmond Center for Applied Research
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
(757) 823-8098 (Office)
(757) 823-2128 (Fax)
pcglanville at<>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8656 bytes
Desc: image001.png
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 8278 bytes
Desc: image002.png
URL: <>

More information about the users mailing list