This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Azure AD expects to receive the following attributes with a SAML 2.0 message. 


ClaimClaim URIPurpose


This must be the email address of the Office365 user. Usually this is the userPrincipalName attribute in AD. Basically this is the login username that a user tries out to login for Office365. It should match with the domain name. (ex:


Since this attribute requires an email address as the username, make sure you have configured the IS to authenticate users using the email address. See Using Email Address as the Username for more information.


This is the Immutable ID that is set by the Azure AD sync service out of the box. If you use a different value, then this claim must be populated with that value for each user. So in this case we will use the ObjectGUID attribute in AD which is unique per user


The URI for a claim that specifies the role of a Windows user

Configuring Office 365 WS-Federation

  1. Start the WSO2 Identity Server and log in to the management console

  2. Click Resident under Identity Providers on the Main menu. Expand the Inbound Authentication Configuration section and then the WS-Federation(Passive) Configuration.

  3. Replace the value of the Identity Provider Entity Id with the value given for the parameter $issueruri when configuring Azure AD (configured in step 3 of this topic) , and click Update to save changes. 

  4. Navigate to Claims>Add in the Main menu and click Add New Claim. Set 'User Principle' and 'ImmutableID' as claims as seen below. See Adding Claim Mapping for more information. 

  5. Navigate to Claims>List and click on the claim dialect. Click on Edit for each of the claims below and untick the Supported by Default checkbox. 

    titleWhy do these claims need to be edited?

    These attributes are not supported by Active Directory by default. Therefore if these attributes are ticked as Supported by Default in Identity Server, they will be shown in the default user profile and you will recieve an error once you try to update the user profile.

  1. Navigate to Service Providers > Add in the Main menu  and add a new Service Provider named ' Office365'. 

  2. Expand the  Inbound Authentication Configuration  section, then the  WS-Federation(Passive) Configuration and enter the following details. See Configuring WS-Federation Single Sign-On for more information about these fields. 

  3. Expand the Claim Configuration section and configure the following attributes required by Azure AD as seen below. 


  4. Set the Subject Claim URI to the Immutable ID claim and the Role Claim URI to the role claim. Click Update to save changes. 
  5. Create a user and update the user's profile with a User Principle Name as seen below. 


    ObjectGUID is a binary attribute. Add the following user store property to the <IS_HOME>/repository/conf/user-mgt.xml file under the relevant user store tag in order to see the value properly in the management console.

    Code Block
    <UserStoreManager ... >
    <Property name="java.naming.ldap.attributes.binary">objectGUID</Property>