Using Shibboleth as an Identity Provider for Office 365



We have released documentation for Shibboleth support, marking the public availability for Shibboleth integration into Office 365!  You can find the reference here.  This provides a customer with the ability to provide their Active Directory users with single sign-on experience by using Shibboleth Identity Provider as their preferred Security Token Service (STS).

The scenarios covered for support include:

1. Web-based clients such as Outlook Web Access for Exchange and SharePoint Online. 

2. Rich client support including IMAP, POP, EAS, MAP, Outlook 2007, Thunderbird 8 and 9, iPhone, and Windows Phone (These options need to support basic authentication to Exchange for access method and we also need Enhanced Client Protocol (ECP) to be deployed).

All other clients are not support in this SSO scenario with Shibboleth as an iDP.

To setup this configuration you’ll need to setup the following:


  1. Configure Shibboleth for use with single sign-on.
  2. Install Windows PowerShell for single sign-on with Shibboleth
  3. Set up a trust between Shibboleth and Windows Azure AD
  4. Follow the detailed instructions in Directory synchronization roadmap to prepare for, activate, install a tool, and verify directory synchronization.
  5. Verify single sign-on with Shibboleth


Please contact your Microsoft account team on how to get a customer supported for Shibboleth.

Comments (6)

  1. Anon says:

    Has anyone managed to get this to work?

    Is there something that MS needs to do on their end? i.e Please contact your Microsoft account team on how to get a customer supported for Shibboleth.

  2. riou says:

    If my shibboleth was created on Linux, is that work?

  3. ryan says:

    Yes, a shib IdP on Linux will work with O365 SP.

  4. ryan says:

    Anon, MS doesn't need to do anything on their end.

  5. SP initiate sso issue says:

    Referring to this configuration , I just set up the environment. But the SP initiate sso does not work in my env.  I trace the http heards, I can not find any info about SAML request. I can only see some parameters "wa","wrtreaml", it looks like WS-Federation.  Is there any one having some experience or suggestion about this issue ?

  6. pkrug says:

    Thanks for the article!

    I am currently supporting SSO with o365 using ADFS 2.0 but I have been requested to convert it to use Shibboleth.   I currently have all my accounts federated to o365.   I am hoping that I will be able to run in parallel so that I can write my new application to authenticate users using the Shibboleth STS.

    I hope that this will not be an issue.  

Skip to main content