27.11 Configuring Integration with Office 365

This section provides the configuration information on integrating Advanced Authentication with Office 365. This integration secures the connection.

The following diagram represents integration of Advanced Authentication with Office 365.

To configure the integration of Advanced Authentication with Office 365, perform the following tasks:

Ensure that the following requirements are met:

  • ADFS v4.0, Domain Controller, and other components must be configured to work with Microsoft Office 365.

27.11.1 Configuring Advanced Authentication SAML 2.0 Event

  1. Open the Advanced Authentication Administration portal.

  2. Click Events > Add to add a new event.

  3. Create an event with the following parameters:

    • Name: Office 365

    • Event Type: SAML 2.

    • Chains: Select the required chains.

    • Paste the content of the file https://<adfs_hostname>/FederationMetadata/2007-06/FederationMetadata.xml to SP SAML 2.0 meta data.

      Or

      • Click Browse and upload the saved XML file.

    • Set Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365) to ON. This is required for integration with Microsoft Office 365.

    NOTE:Verify that you can access the file in your browser. If the file is not displayed, you have an issue on ADFS that you must resolve.

  4. Click Save.

  5. Click Policies > Web Authentication.

  6. Set the External URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.

    NOTE:To use multiple Advanced Authentication servers with SAML 2.0, you must do the following:

    1. Configure an external load balancer.

    2. Specify the address in External URL instead of specifying an address of a single Advanced Authentication server.

  7. Click Download IdP SAML 2.0 Metadata.

    You must open the file as an XML file.

    NOTE:If {"Fault":{... ` is displayed, you must verify the configuration.

  8. Click Save.

27.11.2 Making the Corresponding Changes in ADFS

  1. Open the ADFS management console.

  2. Click Claims Provider Trusts > Add Claims Provider trust.

  3. Click Start in the Add Claims Provider Trust Wizard.

  4. Click Import data about the claims provider from a file in the Select Data Source tab.

  5. Browse the Federation metadata file.

    You can download the Federation metadata from the Advanced Authentication metadata URL: https://<aaf-server>/osp/a/TOP/auth/saml2/metadata.

  6. Click Next.

  7. Specify the Display name.

  8. Click Next.

  9. Select Open the Edit Claim Rules dialog for this claims provider when the wizard closes.

  10. Click Close.

  11. Right-click the Display name and click Edit Claim Rules.

  12. Click Add Rule.

  13. Select Send Claims Using a Custom Rule from Claim rule template in the Add Transform Claim Rule Wizard.

  14. Click Next.

  15. Specify the Claim rule name.

  16. Paste the following in Custom rule:

    c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

  17. Click OK.

  18. Launch Windows Powershell and run the following command to connect to your Office 365 tenant:

    Connect-MsolService

  19. Run the following command to disable the PromptLoginBehavior parameter and to send wfresh=0 to AD FS for fresh authentication of federated users.

    Set-MsolDomainFederationSettings -DomainName <domain_name> -PromptLoginBehavior Disabled

27.11.3 Authenticating on Office 365

  1. Launch http://office.com/.

  2. Login with your credentials.

  3. Select Advanced Authentication to go through the multi-factor authentication.

  4. You will be redirected to the OAuth or SAML Login page.

  5. You must go through the specified chains for authentication.

You might face an issue when authenticating to Microsoft teams and Outlook apps on a smartphone. For the workaround, see Issue with Authenticating on Office 365.