You must configure an Office 365 domain before using the Office 365 connector.
Identity Server must be accessible from outside the firewall so that the Office 365 domain can communicate with Identity Server.
Sign up for an Office 365 account.
For enabling single-sign on to the Office 365 applications, ensure that you download the application from the Office 365 portal.
Create a federated domain in Office 365 and prove ownership of it. This ensures that you add your company domain into the Office 365 domain.
For more information, see Adding and Verifying a Domain for Office 365.
Ensure that the Windows 7 or Windows 8 workstations do not have the Active Directory Federation Service 2.0 snap-in installed.
Ensure that the SSL certificate is issued by a well-known external certification authority (CA).
If you are using Microsoft Lync or Microsoft Outlook thick clients with WS-Trust, replace the default self-signed SSL server certificate included with Access Manager with one that is signed by a public CA. This enables Office 365 to establish a trusted SSL session with Access Manager.
For more information, see Managing Trusted Roots and Trust Stores
in the NetIQ Access Manager Appliance 4.4 Administration Guide.
NOTE:If you are using Microsoft Lync, ensure that you enable federation. For more information, see Configure external communications.
Install Microsoft Live Sign-in Module to help manage and establish a remote session with the Office 365 account that is created to manage the Office 365 domain. To download, go to Microsoft Downloads Center.
Install Microsoft Azure Active Directory Module. To download, go to Manage Azure AD using Windows PowerShell.
Modify the following commands with your domain name as per your setup and run these in PowerShell. The domain name in the example is namtest.com.
Launch Windows Azure Active Directory Module for Windows PowerShell.
Run $cred=Get-Credential and specify your cloud service administrator account credentials.
Ensure that you have the identity server certificate in .cer format. Access Manager does not support .ctr format.
Run Connect-MsolService –Credential $cred.
For example, if the name of the domain is namtest.com and Base URL of Identity Server is https://namtest.com/nidp/, run the following commands in PowerShell:
IMPORTANT:In this example, the port is not specified with Base URL because it uses the default port 443. If you are using a different port, specify the port with Base URL.
$dom = "namtest.com"
$url = "https://namtest.com/nidp/wsfed/ep"
$ecpUrl = "https://namtest.com/nidp/wstrust/sts/active12"
$uri = "https://namtest.com/nidp/wsfed/"
$logouturl = "https://namtest.com/nidp/jsp/o365wsfedlogout.jsp"
$mex = "https://namtest.com/nidp/wstrust/sts/mex"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "<name and path of the certificate>"
$certData = [system.convert]::tobase64string($cert.rawdata)
$brand = "NamTest Co Bangalore"Use the following cmdlet to update the settings of the single sign-on domain:
Set-MsolDomainAuthentication -FederationBrandName $brand -DomainName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -MetadataExchangeUri $mex
You need at least one Office 365 user to verify that single sign-on is set up. If you have an existing user, ensure that the Immutable ID matches the GUID of the Access Manager user.
For example, if your user store is eDirectory and you want to retrieve the GUID of an existing Access Manager user, run the following command on the eDirectory server terminal:
ldapsearch -D cn=<context> -w <password> -b <search base> cn=<fqdn of the administrator> GUID | grep GUID
Where D is the bind credential, w is the password, and b is the search scope.
Create an Office 365 user with this GUID as the Immutable ID by running the following command in PowerShell:
new-msolUser -userprincipalName "user1@domain name" -immutableID "GUID of user1" - lastname "lastname of user 1" -firstname "user1" -DisplayName "user1 users" -BlockCredential $false -LicenseAssignment "testdomain:ENTERPRISEPACK" -usageLocation "two letter country code[example: US,IN,DE,BE,GB etc]" -Password "password of the user"
To verify that single sign-on is set up correctly, perform the following steps in a server that is not added to the domain:
Go to Microsoft Online Services.
Log in with your corporate credentials.
For example, user1@digitalairlines.com
If single sign-on is enabled, the password field is disabled and the following message is displayed:
You are now required to Sign in at <your company>.
Click the Sign in at <your company> link.If you are able to sign in without errors, single sign-on is set up successfully.