3 out of 5 rated this helpful - Rate this topic

Use Shibboleth Identity Provider to implement single sign-on

Published: June 29, 2012

Updated: February 28, 2013

Applies To: Office 365, Windows Azure Active Directory, Windows Intune

Note
This topic provides online help content that is applicable to multiple Microsoft cloud services, including Windows Intune and Office 365.

The topics in this section contain instructions for administrators of a Microsoft cloud service who want to provide their Active Directory users with single sign-on experience by using Shibboleth Identity Provider as their preferred Security Token Service (STS). Shibboleth Identity Provider implements the widely used Security Assertion Markup Language (SAML) federated identity standard to provide a single sign-on and attribute exchange framework.

Microsoft supports this single sign-on experience as the integration of a Microsoft cloud service, such as Windows Intune or Office 365, with the already installed and operational Shibboleth Identity Provider. Shibboleth Identity Provider is a third-party product and therefore Microsoft does not provide support for the deployment, configuration, troubleshooting, best practices, etc. issues and questions regarding the Shibboleth Identity Provider. For more information about the Shibboleth Identity Provider, see http://go.microsoft.com/fwlink/?LinkID=256497.

Important
Only a limited set of clients are supported in this single sign-on scenario, as follows: Web-based clients such as Exchange Web Access and SharePoint Online Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, MAPI, etc. (the Enhanced client protocol end point is required to be deployed), including: Microsoft Outlook 2007 Microsoft Outlook 2010 Thunderbird 8 and 9 The iPhone (various iOS versions) Windows Phone 7 All other clients are not supported in this single sign-on scenario with Shibboleth Identity Provider. For example, the Lync 2010 desktop client is not supported to login into the service with Shibboleth Identity Provider configured for single sign-on.

Important

Only a limited set of clients are supported in this single sign-on scenario, as follows:

Web-based clients such as Exchange Web Access and SharePoint Online
Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, MAPI, etc. (the Enhanced client protocol end point is required to be deployed), including:
- Microsoft Outlook 2007
- Microsoft Outlook 2010
- Thunderbird 8 and 9
- The iPhone (various iOS versions)
- Windows Phone 7

All other clients are not supported in this single sign-on scenario with Shibboleth Identity Provider. For example, the Lync 2010 desktop client is not supported to login into the service with Shibboleth Identity Provider configured for single sign-on.

In order to set up your on-premises STS using Shibboleth Identity Provider, complete the following steps.

Important
As a pre-requisite to starting the steps below, please review the benefits, user experiences, and requirements of single sign-on in Prepare for single sign-on.

Run through the detailed instructions in Configure Shibboleth for use with single sign-on.
Install Windows PowerShell for single sign-on with Shibboleth
Set up a trust between Shibboleth and Windows Azure AD
Follow the detailed instructions in Directory synchronization roadmap to prepare for, activate, install a tool, and verify directory synchronization.
Verify single sign-on with Shibboleth

Community Additions

ADD

Use Shibboleth Identity Provider to implement single sign-on

See Also

Concepts

Community Additions