Office 365



Office 365 provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on and can be forwarded to an SAML Identity Provider.


Office 365

You first need to install AzureAD PowerShell to be able to run administrative commands.

Then run this script:

$dom = ""
$brand = "My Company"
$url = ""
$uri = ""
$logouturl = ""
$cert = "xxxxxxxxxxxxxxxxxxx"

Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $brand -Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri  -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP

Where parameters are:

  • dom: Your Office 365 domain

  • brand: Simple label

  • url: The SAML SSO endpoint

  • uri: The SAML metadata endpoint

  • logouturl: Logout URL

  • cert: The SAML certificate containing the signature public key

If you have several Office365 domains, you can’t use the same URLs for each domains. To be able to have a single SAML IDP for several domains, you must add the ‘domain’ GET parameters at the end of SSO endpoint and metadata URLs, for example:


Create a new SAML Service Provider and import Microsoft metadata from

Set the NameID value to persistent format.

You must use the base64 value of mS-DS-ConsistencyGuid attribute. (also known as immutableID)

Note that - in variable names may lead to problems. You shoud declare a LDAP mapping immutableid <-> mS-DS-ConsistencyGuid, and then declare a macro : $immutableb64 = encode_base64( “$immutableid”, “” )

Create a SAML attribute named IDPEmail which contains the user principal name (UPN).