Use Shibboleth Identity Provider to implement single sign-on

Updated: June 25, 2015

Applies To: Azure, Office 365, Power BI, Windows Intune

The topics in this section contain instructions for administrators of a Microsoft cloud service who want to provide their Active Directory users with single sign-on experience by using Shibboleth Identity Provider as their preferred Security Token Service (STS). Shibboleth Identity Provider implements the widely used Security Assertion Markup Language (SAML) federated identity standard to provide a single sign-on and attribute exchange framework.

Microsoft supports this single sign-on experience as the integration of a Microsoft cloud service, such as Microsoft Intune or Office 365, with the already installed and operational Shibboleth Identity Provider. Shibboleth Identity Provider is a third-party product and therefore Microsoft does not provide support for the deployment, configuration, troubleshooting, best practices, etc. issues and questions regarding the Shibboleth Identity Provider. For more information about the Shibboleth Identity Provider, see


Only a limited set of clients are supported in this single sign-on scenario, as follows:

  • Web-based clients such as Exchange Web Access and SharePoint Online

  • Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, MAPI, etc. (the Enhanced client protocol end point is required to be deployed), including:

    • Microsoft Outlook 2007

    • Microsoft Outlook 2010

    • Thunderbird 8 and 9

    • The iPhone (various iOS versions)

    • Windows Phone 7

All other clients are not supported in this single sign-on scenario with the Shibboleth Identity Provider.  For example, if you implement this single sign-on scenario, you will not be able to use Lync 2010 or Lync 2013 desktop clients to sign-in to Lync Online, or use Office 365 ProPlus licensing from an Office 365 subscription, or use Word, Excel and other Office desktop applications to open documents from SharePoint Online, or use OneDrive for Business to synchronize files.

In order to set up your on-premises STS using Shibboleth Identity Provider, complete the following steps.


As a pre-requisite to starting the steps below, please review the benefits, user experiences, and requirements of single sign-on in Prepare for single sign-on.

  1. Run through the detailed instructions in Configure Shibboleth for use with single sign-on.

  2. Install Windows PowerShell for single sign-on with Shibboleth

  3. Set up a trust between Shibboleth and Azure AD

  4. Follow the detailed instructions in Directory synchronization roadmap to prepare for, activate, install a tool, and verify directory synchronization.

  5. Verify single sign-on with Shibboleth

See Also


DirSync with Single Sign-On