27.13 Configuring Integration with Office 365 without Using ADFS

This section provides the configuration information about integrating Advanced Authentication with Microsoft Office 365. This integration allows users to log in to Office 365 by using their corporate password. During authentication, the specified password is validated by using the federated on-premises Active Directory.

NOTE:The SAML 2.0 supports web-based clients and email-rich clients. With this integration, only limited clients are available for single sign-on.

For example, the Microsoft Teams desktop client does not support SAML; therefore, the client cannot automatically sign in after this integration.

To configure the Advanced Authentication integration with Office 365 using SAML 2.0 perform the following tasks:

Before integration ensure to download the Office 365 SAML Metadata from Microsoft Online Service.

You can watch the Office 365 integration video here:

27.13.1 Configuring the Advanced Authentication SAML 2.0 Event

  1. Log in to the Advanced Authentication Administration portal.

  2. Click Events > Add.

  3. Create an event with the following parameters:

    • Name: Office365

    • Event Type: SAML 2

    • Chains: Select the preferred chains

    • Perform one of the following to import the metadata:

      • Paste the content of the file https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml to SP SAML 2.0 meta data.

        Or

      • Click Browse and upload the saved XML file.

    • Set Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365) to ON. This is required for integration with Microsoft Office 365 without ADFS.

  4. Click Save.

27.13.2 Configuring the Identity Provider URL

  1. Click Policies > Web Authentication in the Advanced Authentication Administration portal.

  2. Set the Identity Provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.

  3. Click Save.

27.13.3 Obtaining the Signing Certificate of Advanced Authentication

  1. Click Server Options in the Advanced Authentication Administration portal.

  2. Click Signing Certificate and save the certificate content in a notepad file for further use.

27.13.4 Enabling Single Sign-On to Office 365

It is required to add a custom domain to Office 365 to federate your Office 365 tenant with Advanced Authentication as the external identity provider. You cannot federate your onmicrosoft.com domain. It is not recommended to set the custom domain that you have added to Office 365 as the default domain. However, if you set the custom domain as default then you cannot federate it.

To enable single sign-on to Office 365 perform the following tasks:

Enabling Directory Synchronization in Office 365

  1. Log in to the Office 365 Identity Federation Setup page as the tenant administrator. We recommend you to follow and complete the described ten steps to achieve SSO.

  2. Review and prepare for SSO as described in the step 1 of Identity Federation Setup page.

  3. Skip step 2 to integrate without AD FS.

    NOTE:In this integration, it is not required to deploy AD FS. Here, Advanced Authentication replaces AD FS and acts as Security Token Service (STS) for SSO. Ensure to make note of the UPN requirements for SSO.

  4. Do not install the Windows Azure Active Directory Federation Services 2.0 as described in step 3. Instead, install the Microsoft Online Services Sign-in Assistant on a computer joined to your AD domain then open PowerShell and run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell:

    Install-Module MSOnline

    For more information about Office 365 PowerShell, see Connect to Office 365 PowerShell.

  5. Review the prerequisites for Active Directory synchronization and activate the Active Directory synchronization for your domain as described in step 5 and 6.

  6. Install and configure the Directory Sync tool on the same server where you have installed the Microsoft Azure Active Directory Module for Windows PowerShell.

  7. Launch Azure Active Directory Connect.

  8. In the Express settings page, click Custom Settings.

  9. In the User sign-in page, select Do not configure as Sign On method.

  10. In the Identifying Users page, select objectGUID from Source Anchor.

  11. Verify the Active Directory Synchronization and activate the Office 365 licensing for unlicensed but synchronized users.

Federating the Custom Domain using Advanced Authentication

  1. Log in to the domain-joined computer where you have installed the following components:

    • Microsoft Online Services Sign-in Assistant

    • Microsoft Azure Active Directory Module for Windows PowerShell

    • Azure AD Connect tool

  2. Launch Windows Powershell and then run the following command to connect to your Office 365 tenant:

    Connect-MsolService

  3. Run the following command to verify whether your Office 365 domain is federated:

    get-msoldomain -domain samplecompany.com

    In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:

    Set-MsolDomainAuthentication –DomainName samplecompany.com -Authentication Managed

  4. Set the identity provider details in the PowerShell variables as follows:

    • $dom="fully_qualified_domain_name"

      For example, $dom="samplecompany.com"

    • $uri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"

    • $url"https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"

    • $logoutUrl="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"

    • $protocol="SAMLP"

    • $cert="paste the signing certificate that you have saved in a notepad file"

  5. Run the following command to convert your Office 365 domain to Federated authentication:

    Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert

  6. Run the following command to verify the federation settings of your Office 365 domain:

    Get-MsolDomainFederationSettings -domain samplecompany.com

27.13.5 Verifying Single Sign-On to Office 365

  1. On the Microsoft Office page, log in with your credentials.

    The page redirects to the Advanced Authentication SAML Login page.

  2. Select the preferred chain for authentication.

    You must pass all methods in the chain to authenticate successfully.