Microsoft Office 365 Single Sign-On (SSO) with Shibboleth 2

As part of the refreshed Practice Accelerator for Office 365 training (new content and new dates coming shortly!), we mention in passing that Shibboleth can be configured to provide Single Sign-On for Office 365.  In that training we don’t discuss how to configure Shibboleth, so if you are trying to do so… I thought I would point you to a very well-written white paper from Jean-Marie Thia with the French National Center for Scientific Research (CNRS) and Philippe Beraud (Microsoft France):

Through its support for the SAML 2.0 protocol, Internet2 Shibboleth 2 provides claims-based (Web) single sign-on (also known as identity federation) with the Microsoft Office 365 offering and its Web application and e-mail rich client applications (such as Outlook).

Building on existing documentation, this document is intended to provide a better understanding of the different single sign-on deployment options for Windows Azure Active Directory and the services in Office 365, how to enable single sign-on using corporate credentials and the Shibboleth 2 Identity Provider to Windows Azure Active Directory and the services in Office 365, and the different configuration elements to be aware of for such deployment.

This document is intended for system architects and IT professionals who are interested in understanding the basics of the single sign-on feature of Windows Azure Active Directory/Office 365 with Shibboleth 2 along with planning and deploying such a system in their environment.

Download the paper here: Office 365 Single Sign-On with Shibboleth 2 whitepaper


Paper Contents:

1 Introduction. 1

1.1 Objectives of this paper. 2

1.2 Non-objectives of this paper. 6

1.3 Organization of this paper. 8

1.4 About the audience. 8

1.5 Terminology used in this guide. 9

2 A brief overview of Shibboleth 2. 10

2.1 A short introduction on SAML 2.0 standard. 12

2.2 Logical architecture of the Shibboleth system components. 15

2.3 Interaction principles and associated profiles. 18

2.4 Federation metadata defined. 19

3 Federated authentication in Windows Azure AD/Office 365. 21

3.1 Sign-in Experience for Federated Identities. 22

3.2 Types of authentication for Federated Identities. 23

4 Understanding the SSO configuration and related considerations. 25

4.1 Preparing for the single sign-on. 25

4.2 Planning and deploying a Shibboleth 2 identity provider. 26

4.3 Configuring Shibboleth for use with single sign-on. 65

4.4 Installing Windows PowerShell for single sign-on with Shibboleth 2. 72

4.5 Setting up a trust between Shibboleth and Windows Azure AD.. 76

4.6 Setting up directory synchronization. 83

4.7 Verifying single sign-on with Shibboleth 2. 84

4.8 Troubleshooting the single sign-on (SSO) with Shibboleth 2. 92

5 Understanding how federated authentication works in Office 365. 93

5.1 Understanding the Shibboleth 2 configuration. 93

5.2 Understanding the passive/Web profile authentication flow.. 99

5.3 Understanding the ECP – Proxy Auth profile authentication flow.. 100

Appendix A. Shibboleth 2 Glossary/Concepts. 102

APPENDIX B. Shibboleth 2 configuration file samples 104