12.13 Configuring Integration with Office 365 without Using ADFS

This section provides the configuration information about integrating Advanced Authentication with Microsoft Office 365. This integration allows users to log in to Office 365 by using their corporate password. During authentication, the specified password is validated by using the federated on-premises Active Directory.

To configure the Advanced Authentication integration with Office 365 using SAML 2.0 perform the following tasks:

Before integration ensure to download the Office 365 SAML Metadata from Microsoft Online Service.

12.13.1 Configuring the Advanced Authentication SAML 2.0 Event

  1. Log in to the Advanced Authentication Administration portal.

  2. Click Events > Add.

  3. Create an event with the following parameters:

    • Name: Office365

    • Event Type: SAML 2

    • Chains: Select the preferred chains

    • Perform one of the following to import the metadata:

      • Paste the content of the file https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml to SP SAML 2.0 meta data.

        Or

      • Click Browse and upload the saved XML file.

    • Set Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365) to ON. This is required for integration with Microsoft Office 365 without ADFS.

  4. Click Save.

12.13.2 Obtaining the Metadata of Advanced Authentication

  1. Click Policies > Web Authentication in the Advanced Authentication Administration portal.

  2. Set the Identity Provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.

  3. Click Download IdP SAML 2.0 Metadata.

    You must open the file as an XML file.

    NOTE:If {"Fault":{... ` is displayed, you must verify the configuration.

  4. Click Save.

12.13.3 Enabling Single Sign-On to Office 365

It is required to add a custom domain to Office 365 to federate your Office 365 tenant with Advanced Authentication as the external identity provider. You cannot federate your onmicrosoft.com domain and cannot set the custom domain that you have added to Office 365 as the default domain.

To enable single sign-on to Office 365 perform the following tasks:

Enabling Directory Synchronization in Office 365

  1. Log in to the Office 365 Identity Federation Setup page as the tenant administrator. We recommend you to follow and complete the described ten steps to achieve SSO.

  2. Review and prepare for SSO as described in the step 1 of Identity Federation Setup page.

  3. Skip step 2 to integrate without AD FS.

    NOTE:In this integration, it is not required to deploy AD FS. Here, Advanced Authentication replaces AD FS and acts as Security Token Service (STS) for SSO. Ensure to make note of the UPN requirements for SSO.

  4. Do not install the Windows Azure Active Directory Federation Services 2.0 as described in step 3. Instead, install the Microsoft Online Services Sign-in Assistant on a computer joined to your AD domain then open PowerShell and run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell:

    Install-Module MSOnline

    For more information about Office 365 PowerShell, see Connect to Office 365 PowerShell.

  5. Review the prerequisites for Active Directory synchronization and activate the Active Directory synchronization for your domain as described in step 5 and 6.

  6. Install and configure the Directory Sync tool on the same server where you have installed the Microsoft Azure Active Directory Module for Windows PowerShell.

  7. Launch Azure Active Directory Connect.

  8. In the Express settings page, click Custom Settings.

  9. In the User sign-in page, select Do not configure as Sign On method.

  10. In the Identifying Users page, select objectGUID from Source Anchor.

  11. Verify the Active Directory Synchronization and activate the Office 365 licensing for unlicensed but synchronized users.

Enabling Active Directory Federation to Office 365 using Advanced Authentication

  1. Log in to the domain-joined computer where you have installed the following components:

    • Microsoft Online Services Sign-in Assistant

    • Microsoft Azure Active Directory Module for Windows PowerShell

    • Azure AD Connect tool

  2. Launch Windows Powershell and then run the following command to connect to your Office 365 tenant:

    Connect-MsolService

  3. Run the following command to verify whether your Office 365 domain is federated:

    get-msoldomain -domain samplecompany.365domain.com

    In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:

    Set-MsolDomainAuthentication –DomainName samplecompany.365domain.com -Authentication Managed

  4. Set the identity provider details in the PowerShell variables as follows:

    • $domainname="fully_qualified_domain_name"

      For example, $domainname="samplecompany.365domain.com"

    • $IssuerUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"

    • $PassiveLogOnUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"

    • $LogOffUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"

    • $protocol="SAMLP"

    • $cert="<place the below certificate here>" 

      MIIDczCCAlugAwIBAgIEHfhpIDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJ1czENMAsGA1UE
 CBMEdXRhaDEOMAwGA1UEBxMFcHJvdm8xFzAVBgNVBAoTDk1pY3JvZm9jdXMgSW5jMREwDwYDVQQL
 EwhzZWN1cml0eTEQMA4GA1UEAxMHd2ViYXV0aDAeFw0xOTAyMDUxMzQzNDhaFw0yOTAyMDIxMzQz
 NDhaMGoxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIEwR1dGFoMQ4wDAYDVQQHEwVwcm92bzEXMBUGA1UE
 ChMOTWljcm9mb2N1cyBJbmMxETAPBgNVBAsTCHNlY3VyaXR5MRAwDgYDVQQDEwd3ZWJhdXRoMIIB
 IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmQ89L/qZAvdSxvVERU9O6g54nRkFVJaZ5sxd
 rNsckAkqy7k1hzCnEOejWxFepmj0ul6cAHxcMWX1TfnljRNy/OpP4+TJnMhSbKBHY6Png4S7UEfN
 r1Djqvq9XDCa6OZrxZXpdDpZAA42tX3sb565I33MsmTKeryiFN0GD4KxyqxiRIahjFtAMT9osHrg
 3RcxmyOSCev2gCjuiT3Bk2GvCtsNcgFlV7bqQmtV5ERW16dqRdR9/i/L1MSrWB+QkatE/gczWHGz
 M+drT01cQkwauEo1yK3S/DFHNSYgtV4uc3yKZwzn/1dHKYuX8BDRg04bCCKse2hqd/m4CP0G695a
 aQIDAQABoyEwHzAdBgNVHQ4EFgQUQJNrW+25YWx6oIG+p9xsREpEYWcwDQYJKoZIhvcNAQELBQAD
 ggEBAGQ8/KA7XSxfjK4WdU1HZMn8w7kYLtjMTYEY9D1vpSEmsw8si+uH3ZEfIcxkkpnvq7GKLtmE
 rXPJ6j6a9esJjHc0I3LMMRK0xg5tjdh2sXbJm2MForiQvzoonHK2Uf72ODgbCdhqPN3kkgwPBxXJ
 xhdncALOT/h1IVTp/aop/UZmvJQkcbgRvSZaptz2r/waOLaOCeladPvdQKsMTZMmPdfjW1xWVMa6
 CX7ERCcxeKFWWcCcceepoZd+BPHB9Vuzr+59o2cydCU0x/OlnHrcsvUx4Wl1GmB3r6NdpvEJszdb
 sNkV+rczAz0rlhcKTJq3mQzKSMRZXeB9SQ1GorEoEy0=

  5. Run the following command to convert your Office 365 domain to Federated authentication:

    Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData

  6. Run the following command to verify the federation settings of your Office 365 domain:

    Get-MsolDomainFederationSettings -domain samplecompany.365domain.com

12.13.4 Verifying Single Sign-On to Office 365

  1. On the Microsoft Office page, log in with your credentials.

    The page redirects to the Advanced Authentication SAML Login page.

  2. Select the preferred chain for authentication.

    You must pass all methods in the chain to authenticate successfully.