This section provides the configuration information about integrating Advanced Authentication with Microsoft Office 365. This integration allows users to log in to Office 365 by using their corporate password. During authentication, the specified password is validated by using the federated on-premises Active Directory.
To configure the Advanced Authentication integration with Office 365 using SAML 2.0 perform the following tasks:
Before integration ensure to download the Office 365 SAML Metadata from Microsoft Online Service.
Log in to the Advanced Authentication Administration portal.
Click Events > Add.
Create an event with the following parameters:
Name: Office365
Event Type: SAML 2
Chains: Select the preferred chains
Perform one of the following to import the metadata:
Paste the content of the file https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml to SP SAML 2.0 meta data.
Or
Click Browse and upload the saved XML file.
Set Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365) to ON. This is required for integration with Microsoft Office 365 without ADFS.
Click Save.
Click Policies > Web Authentication in the Advanced Authentication Administration portal.
Set the Identity Provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.
Click Download IdP SAML 2.0 Metadata.
You must open the file as an XML file.
NOTE:If {"Fault":{... ` is displayed, you must verify the configuration.
Click Save.
It is required to add a custom domain to Office 365 to federate your Office 365 tenant with Advanced Authentication as the external identity provider. You cannot federate your onmicrosoft.com domain and cannot set the custom domain that you have added to Office 365 as the default domain.
To enable single sign-on to Office 365 perform the following tasks:
Log in to the Office 365 Identity Federation Setup page as the tenant administrator. We recommend you to follow and complete the described ten steps to achieve SSO.
Review and prepare for SSO as described in the step 1 of Identity Federation Setup page.
Skip step 2 to integrate without AD FS.
NOTE:In this integration, it is not required to deploy AD FS. Here, Advanced Authentication replaces AD FS and acts as Security Token Service (STS) for SSO. Ensure to make note of the UPN requirements for SSO.
Do not install the Windows Azure Active Directory Federation Services 2.0 as described in step 3. Instead, install the Microsoft Online Services Sign-in Assistant on a computer joined to your AD domain then open PowerShell and run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell:
Install-Module MSOnline
For more information about Office 365 PowerShell, see Connect to Office 365 PowerShell.
Review the prerequisites for Active Directory synchronization and activate the Active Directory synchronization for your domain as described in step 5 and 6.
Install and configure the Directory Sync tool on the same server where you have installed the Microsoft Azure Active Directory Module for Windows PowerShell.
Launch Azure Active Directory Connect.
In the Express settings page, click Custom Settings.
In the User sign-in page, select Do not configure as Sign On method.
In the Identifying Users page, select objectGUID from Source Anchor.
Verify the Active Directory Synchronization and activate the Office 365 licensing for unlicensed but synchronized users.
Log in to the domain-joined computer where you have installed the following components:
Microsoft Online Services Sign-in Assistant
Microsoft Azure Active Directory Module for Windows PowerShell
Azure AD Connect tool
Launch Windows Powershell and then run the following command to connect to your Office 365 tenant:
Connect-MsolService
Run the following command to verify whether your Office 365 domain is federated:
get-msoldomain -domain samplecompany.365domain.com
In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:
Set-MsolDomainAuthentication –DomainName samplecompany.365domain.com -Authentication Managed
Set the identity provider details in the PowerShell variables as follows:
$domainname="fully_qualified_domain_name"
For example, $domainname="samplecompany.365domain.com"
$IssuerUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"
$PassiveLogOnUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"
$LogOffUri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"
$protocol="SAMLP"
$cert="<place the below certificate here>"
MIIDczCCAlugAwIBAgIEHfhpIDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJ1czENMAsGA1UE CBMEdXRhaDEOMAwGA1UEBxMFcHJvdm8xFzAVBgNVBAoTDk1pY3JvZm9jdXMgSW5jMREwDwYDVQQL EwhzZWN1cml0eTEQMA4GA1UEAxMHd2ViYXV0aDAeFw0xOTAyMDUxMzQzNDhaFw0yOTAyMDIxMzQz NDhaMGoxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIEwR1dGFoMQ4wDAYDVQQHEwVwcm92bzEXMBUGA1UE ChMOTWljcm9mb2N1cyBJbmMxETAPBgNVBAsTCHNlY3VyaXR5MRAwDgYDVQQDEwd3ZWJhdXRoMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmQ89L/qZAvdSxvVERU9O6g54nRkFVJaZ5sxd rNsckAkqy7k1hzCnEOejWxFepmj0ul6cAHxcMWX1TfnljRNy/OpP4+TJnMhSbKBHY6Png4S7UEfN r1Djqvq9XDCa6OZrxZXpdDpZAA42tX3sb565I33MsmTKeryiFN0GD4KxyqxiRIahjFtAMT9osHrg 3RcxmyOSCev2gCjuiT3Bk2GvCtsNcgFlV7bqQmtV5ERW16dqRdR9/i/L1MSrWB+QkatE/gczWHGz M+drT01cQkwauEo1yK3S/DFHNSYgtV4uc3yKZwzn/1dHKYuX8BDRg04bCCKse2hqd/m4CP0G695a aQIDAQABoyEwHzAdBgNVHQ4EFgQUQJNrW+25YWx6oIG+p9xsREpEYWcwDQYJKoZIhvcNAQELBQAD ggEBAGQ8/KA7XSxfjK4WdU1HZMn8w7kYLtjMTYEY9D1vpSEmsw8si+uH3ZEfIcxkkpnvq7GKLtmE rXPJ6j6a9esJjHc0I3LMMRK0xg5tjdh2sXbJm2MForiQvzoonHK2Uf72ODgbCdhqPN3kkgwPBxXJ xhdncALOT/h1IVTp/aop/UZmvJQkcbgRvSZaptz2r/waOLaOCeladPvdQKsMTZMmPdfjW1xWVMa6 CX7ERCcxeKFWWcCcceepoZd+BPHB9Vuzr+59o2cydCU0x/OlnHrcsvUx4Wl1GmB3r6NdpvEJszdb sNkV+rczAz0rlhcKTJq3mQzKSMRZXeB9SQ1GorEoEy0=
Run the following command to convert your Office 365 domain to Federated authentication:
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData
Run the following command to verify the federation settings of your Office 365 domain:
Get-MsolDomainFederationSettings -domain samplecompany.365domain.com
On the Microsoft Office page, log in with your credentials.
The page redirects to the Advanced Authentication SAML Login page.
Select the preferred chain for authentication.
You must pass all methods in the chain to authenticate successfully.