Shibboleth IdP + O365 Modern Authentication client issue

Joseph Fischetti Joseph.Fischetti at
Mon Mar 9 13:52:26 EDT 2020

We're having the same behavior, for a subset of our users.


Outlook will display a "Needs Password" notification in the bottom and won't
receive any new emails.  Users will click that notification and after being
prompted to log in (to the shib login page), it'll fail to get them on.
Checking the shibboleth logs shows a valid/successful login at the time of
the outlook failure (read:  It's not a shibboleth problem).


In every case that I've seen: When it happens, if the user reboots their
machine instead of entering their password, outlook reconnects without a
prompt (like it should).  In addition, in every case that I've seen, when
the user is being asked for their password, the status of their refresh
token in Azure is still valid.


It's not every user (and there's nothing we can do from a office365 point of
view). It's not even like we can figure out what version of the client is
experiencing the problem.  I've seen it with multiple builds of Office 2019
(and I have no recorded instances of a user with 2016 having the issue.
though that's not to say it doesn't exist).





From: users <users-bounces at> On Behalf Of Tim Murphy
Sent: Monday, March 9, 2020 12:57 PM
To: users at
Subject: Shibboleth IdP + O365 Modern Authentication client issue



Hi all


Just wondering if anyone has seen this before. We have set our Office 365
domain to federated mode and configured it to use our Shibboleth as the
Identity Provider. All works so far and users have configured their clients
with our IdP.


However we are noticing about every 24 hours that users are being signed out
of the mobile/desktop clients, and being asked to login again. Has anyone
seen this behaviour when using Shibboleth IdP and Office 365? Normally
mobile/desktop clients should be persistent and shouldn't force a user out,
but asking here just in case.


We have set our Azure AD Org policy, conditional access policy etc all to
extended sessions on mobile apps, tried disabling MFA etc but to no avail.
It should be noted that our IdP stores sessions for a max of 24 hours or if
you change IP.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5561 bytes
Desc: not available
URL: <>

More information about the users mailing list