SSO fails at Microsoft with this error:
Your organization could not sign you in to this service
Perform the following steps to fix this issue:
Verify that the attributes are configured properly.
You can also use the SAML tracer plug-in Firefox to review the SAML assertion sent to Office365.
Verify that federation settings are using the GetMsolDomainFederationSettings DomainName <YOUR DOMAIN> command.
If you try setting up a primary domain for federation by running the SetMsolDomainAuthentication command, it throws the following error:
SetMsolDomainAuthentication: You cannot remove this domain as the default domain without replacing it with another default domain. Use the SetMsolDomain cmdlet to set another domain as the default domain before you delete this domain.
To fix this issue, change the default domain by performing the following steps:
In the Office 365 portal, click Organization Name on the Admin page.
Click Edit.
Select a new default domain.