NAM 4.2 setup as a SAML Identity Provider to Office 365 using the Office 36 wizard. When users access the Office365 portal and correctly get redirected to the NAM Identity Server to login, the Identity Server generates an assertion to be sent back to Office 365 as per the wizard configuration. Office365 consumes the assertion but rather that SSO'ing the user, the following error is reported on the browser:

Additional technical information:

Correlation ID: d659d631-3eba-4570-97bf-3b6a45f27058

Timestamp: 2016-11-07 09:11:08Z

AADSTS50008: SAML 2.0 assertion validation failed: SAML token is invalid."

Looking at the details of the assertion, everything appears to be fine ie. the attributes required by Office365 are in the <AttributeStatement>, the NameIdentifier includes the users ImmutableID, the signing certificate is valid and the time if the two systems are in sync - all triggers for the generic message reported above.

Looking at the AuthnStatement, the AuthnContextDeclRef does seem to reference something that Office365 server could have issues with

<saml:AuthnStatement AuthnInstant="2016-11-07T09:06:01Z" SessionIndex="idRPd78rmGWI5AJKw1nJpptdKc9b4">
    <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        <saml:AuthnContextDeclRef>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</saml:AuthnContextDeclRef>
    </saml:AuthnContext

Upgrade to NAM 4.3 and add the following SAML option to the NAM Office365 configuration:

- Add new option
- Select 'Other'
- Add following property/value pair

"SAML2_AVOID_AUTHN_CONTEXT_DECL_REF" with value of "True" (remove quotes)