Office 365 SAML token rejection

What is the value configured for 'Assertion Subject Value*:' on APM. ? May want to verify with MS on this value.

Not sure if can help you but, I found an error that a slash was needed at the end of entity ID That's: https://idp.xxx.com gave me errors while https://idp.xxx.com/ works perfect

Okay, so that should be something required by O365? Any concern in configuring with a ending slash?

I did find this issue with O365, not with other SP's I have configured Also, as SP number grew, I had problems ending entityID in a URI like /idp/ or similar (can't remember why at this moment, maybe I was doing something wrong), so finally ended setting up every idp service with entityID as https://idp.xxx.com/

Also you must call an iRule to encode attribute to b64. Let me know if you don't have the code

The DG does indicate this ending slash url https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf for the entity id. So that could be a known format.

Thanks for the comments. I have this working now, it was an issue with the encode irule, more specifically the AD query wasn't returning the attributes needed for the irule. Worth noting, I don't have a trailing slash, but both APM & o365 configurations match. Thanks for the help.

Maybe if entityID includes an uri like /idp this problem does not come out. Do you have it ? But we had https://idp.xxx.com at both places and until we added the slash it didn't work

I had the same issue... missing objectGUID