<div dir="ltr"><div>Kevin,</div><div><br></div><div>Most likely, you haven't provisioned an account that matches that objectGUID + IDPEmail.  Alternatively, IdP-initiated SSO may not work with Office 365.  Again, I have no way of testing myself, and I apologize.<br></div><div><br></div><div>Either way, your IdP apparently sent a full assertion to Office 365(you can check your IdP's logs on DEBUG to see if the assertion looks right).  The error is at Office 365 and pretty self-explanatory, so your best bet is to double check the assertion for the right data and make sure your provisioning is working and then visit the exciting land of Premier Support.</div><div><br></div><div>Take care,</div><div>Nate.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 10, 2018 at 11:39 AM, Kevin B <span dir="ltr"><<a href="mailto:kevin@thenext.net" target="_blank">kevin@thenext.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Nate,<div><br>It appears it tries to sign me into Office 365 but then I get this message</div><div><br></div><div><div class="m_-8298220764396010026m_-4669008317689775221gmail-row m_-8298220764396010026m_-4669008317689775221gmail-text-title" style="box-sizing:border-box;margin:20px 0px 12px;font-weight:600;font-size:1.5rem;line-height:1.75rem;padding:0px;color:rgb(64,64,64);font-family:"Segoe UI","Helvetica Neue","Lucida Grande",Roboto,Ebrima,"Nirmala UI",Gadugi,"Segoe Xbox Symbol","Segoe UI Symbol","Meiryo UI","Khmer UI",Tunga,"Lao UI",Raavi,"Iskoola Pota",Latha,Leelawadee,"Microsoft YaHei UI","Microsoft JhengHei UI","Malgun Gothic","Estrangelo Edessa","Microsoft Himalaya","Microsoft New Tai Lue","Microsoft PhagsPa","Microsoft Tai Le","Microsoft Yi Baiti","Mongolian Baiti","MV Boli","Myanmar Text","Cambria Math"">Sign in</div><div class="m_-8298220764396010026m_-4669008317689775221gmail-row m_-8298220764396010026m_-4669008317689775221gmail-text-body" style="box-sizing:border-box;margin:16px 0px 12px;font-size:15px;line-height:1.25rem;padding:0px;color:rgb(38,38,38);font-family:"Segoe UI Webfont",-apple-system,"Helvetica Neue","Lucida Grande",Roboto,Ebrima,"Nirmala UI",Gadugi,"Segoe Xbox Symbol","Segoe UI Symbol","Meiryo UI","Khmer UI",Tunga,"Lao UI",Raavi,"Iskoola Pota",Latha,Leelawadee,"Microsoft YaHei UI","Microsoft JhengHei UI","Malgun Gothic","Estrangelo Edessa","Microsoft Himalaya","Microsoft New Tai Lue","Microsoft PhagsPa","Microsoft Tai Le","Microsoft Yi Baiti","Mongolian Baiti","MV Boli","Myanmar Text","Cambria Math""><p class="m_-8298220764396010026m_-4669008317689775221gmail-text-block-body m_-8298220764396010026m_-4669008317689775221gmail-no-margin-top" style="box-sizing:border-box;margin-bottom:12px;margin-top:0px;font-size:0.9375rem;line-height:1.25rem;padding:0px">Sorry, but we’re having trouble signing you in.</p></div><div class="m_-8298220764396010026m_-4669008317689775221gmail-row m_-8298220764396010026m_-4669008317689775221gmail-text-body" style="box-sizing:border-box;margin:16px 0px 12px;font-size:15px;line-height:1.25rem;padding:0px;color:rgb(38,38,38);font-family:"Segoe UI Webfont",-apple-system,"Helvetica Neue","Lucida Grande",Roboto,Ebrima,"Nirmala UI",Gadugi,"Segoe Xbox Symbol","Segoe UI Symbol","Meiryo UI","Khmer UI",Tunga,"Lao UI",Raavi,"Iskoola Pota",Latha,Leelawadee,"Microsoft YaHei UI","Microsoft JhengHei UI","Malgun Gothic","Estrangelo Edessa","Microsoft Himalaya","Microsoft New Tai Lue","Microsoft PhagsPa","Microsoft Tai Le","Microsoft Yi Baiti","Mongolian Baiti","MV Boli","Myanmar Text","Cambria Math""></div><div class="m_-8298220764396010026m_-4669008317689775221gmail-row m_-8298220764396010026m_-4669008317689775221gmail-text-body" style="box-sizing:border-box;margin:16px 0px 12px;font-size:15px;line-height:1.25rem;padding:0px;color:rgb(38,38,38);font-family:"Segoe UI Webfont",-apple-system,"Helvetica Neue","Lucida Grande",Roboto,Ebrima,"Nirmala UI",Gadugi,"Segoe Xbox Symbol","Segoe UI Symbol","Meiryo UI","Khmer UI",Tunga,"Lao UI",Raavi,"Iskoola Pota",Latha,Leelawadee,"Microsoft YaHei UI","Microsoft JhengHei UI","Malgun Gothic","Estrangelo Edessa","Microsoft Himalaya","Microsoft New Tai Lue","Microsoft PhagsPa","Microsoft Tai Le","Microsoft Yi Baiti","Mongolian Baiti","MV Boli","Myanmar Text","Cambria Math"">AADSTS51004: To sign into this application the account AAdzZWNyZXQx7HMxE6qicIZSOj9QzK<wbr>VS.....+<wbr>rUOUj91x5MsYdMZ0tib50s6FCFGB must be added to the 8f42c016-.....-772a011c3b99 directory.</div></div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Fri, Sep 7, 2018 at 11:39 PM Nate Klingenstein <<a href="mailto:ndk@sudonym.me" target="_blank">ndk@sudonym.me</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Excuse me, 3A, not 3B.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 8, 2018 at 2:51 AM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@sudonym.me" target="_blank">ndk@sudonym.me</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Kevin,</div><div><br></div><div>I suspect that something like the below would work, but I don't have an account nor an IdP I can use to test it with.<br></div><br><div><a href="https://idp.host.here/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Bfederation%3BMicrosoftOnline&target=https%3A%2F%2Fportal.office.com%2F" target="_blank">https://idp.host.here/idp/<wbr>profile/SAML2/Unsolicited/SSO?<wbr>providerId=urn%3Bfederation%<wbr>3BMicrosoftOnline&target=<wbr>https%3A%2F%2Fportal.office.<wbr>com%2F</a></div><div><br></div><div>Federated identity in general means fewer logins(but as many or more sessions total) but the number of logins does not depend on whether the IdP or SP initiates the process.  The number of logins depends on the IdP's session management and whether a current session exists for the user that satisfies a request issued by the SP.</div><div><br></div><div>Unsolicited SSO may obviate the need to do IdP discovery, which would be the only reduction in required user interaction.  That's a win, but unsolicited SSO comes with other trade-offs.  You may need to end up supporting IdP discovery and SP-initiated SSO for Microsoft's native applications anyway.  It's worth reading through this Wiki article.<br></div><div><br></div><div><a href="https://wiki.shibboleth.net/confluence/display/IDP30/UnsolicitedSSOConfiguration" target="_blank">https://wiki.shibboleth.net/<wbr>confluence/display/IDP30/<wbr>UnsolicitedSSOConfiguration</a><br></div><div><br></div><div>The only data transmitted in the assertion is the user's objectGUID and a mysterious identifier known as IDPEmail, and the SAML assertion itself would be considered the credential from the SP's point of view.  Most of the heavy provisioning lifting is done by the descendant of DirSync.</div><div><br></div><div>Hope this helps,</div><div>Nate.<br></div></div></div></div><div class="m_-8298220764396010026m_-4669008317689775221m_4481356478166845348HOEnZb"><div class="m_-8298220764396010026m_-4669008317689775221m_4481356478166845348h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 7, 2018 at 10:40 PM, Kevin <span dir="ltr"><<a href="mailto:kevin@thenext.net" target="_blank">kevin@thenext.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">How would one use IdP-Initiated SSO with Shibboleth and Office 365?  In a<br>
university settings would this not be fewer logins?  Would their be a URL<br>
nomenclature that one would use to pass the credentials to the SP?<br>
<br>
<br>
<br>
--<br>
Sent from: <a href="http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html" rel="noreferrer" target="_blank">http://shibboleth.1660669.n2.<wbr>nabble.com/Shibboleth-Users-<wbr>f1660767.html</a><br>
<span class="m_-8298220764396010026m_-4669008317689775221m_4481356478166845348m_-6591174223683966124HOEnZb"><font color="#888888">-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" target="_blank">https://wiki.shibboleth.net/<wbr>confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">users-unsubscribe@shibboleth.<wbr>net</a><br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" target="_blank">https://wiki.shibboleth.net/<wbr>confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">users-unsubscribe@shibboleth.<wbr>net</a></blockquote></div>
</div></div><br>-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" target="_blank">https://wiki.shibboleth.net/<wbr>confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.<wbr>net</a><br></blockquote></div><br></div>