This section provides the configuration information about integrating Advanced Authentication with Microsoft Office 365. This integration allows users to log in to Office 365 by using their corporate password. During authentication, the specified password is validated by using the federated on-premises Active Directory.
NOTE:The SAML 2.0 supports web-based clients and email-rich clients. With this integration, only limited clients are available for single sign-on.
For example, the Microsoft Teams desktop client does not support SAML; therefore, the client cannot automatically sign in after this integration.
To configure the Advanced Authentication integration with Office 365 using SAML 2.0 perform the following tasks:
Before integration ensure to download the Office 365 SAML Metadata from Microsoft Online Service.
You can watch the Office 365 integration video here:
Log in to the Advanced Authentication Administration portal.
Click Events > Add.
Create an event with the following parameters:
Name: Office365
Event Type: SAML 2
Chains: Select the preferred chains
Perform one of the following to import the metadata:
Paste the content of the file https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml to SP SAML 2.0 meta data.
Or
Click Browse and upload the saved XML file.
Set Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365) to ON. This is required for integration with Microsoft Office 365 without ADFS.
Click Save.
Click Policies > Web Authentication in the Advanced Authentication Administration portal.
Set the Identity Provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.
Click Save.
Click Server Options in the Advanced Authentication Administration portal.
Click Signing Certificate and save the certificate content in a notepad file for further use.
It is required to add a custom domain to Office 365 to federate your Office 365 tenant with Advanced Authentication as the external identity provider. You cannot federate your onmicrosoft.com domain. It is not recommended to set the custom domain that you have added to Office 365 as the default domain. However, if you set the custom domain as default then you cannot federate it.
To enable single sign-on to Office 365 perform the following tasks:
Log in to the Office 365 Identity Federation Setup page as the tenant administrator. We recommend you to follow and complete the described ten steps to achieve SSO.
Review and prepare for SSO as described in the step 1 of Identity Federation Setup page.
Skip step 2 to integrate without AD FS.
NOTE:In this integration, it is not required to deploy AD FS. Here, Advanced Authentication replaces AD FS and acts as Security Token Service (STS) for SSO. Ensure to make note of the UPN requirements for SSO.
Do not install the Windows Azure Active Directory Federation Services 2.0 as described in step 3. Instead, install the Microsoft Online Services Sign-in Assistant on a computer joined to your AD domain then open PowerShell and run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell:
Install-Module MSOnline
For more information about Office 365 PowerShell, see Connect to Office 365 PowerShell.
Review the prerequisites for Active Directory synchronization and activate the Active Directory synchronization for your domain as described in step 5 and 6.
Install and configure the Directory Sync tool on the same server where you have installed the Microsoft Azure Active Directory Module for Windows PowerShell.
Launch Azure Active Directory Connect.
In the Express settings page, click Custom Settings.
In the User sign-in page, select Do not configure as Sign On method.
In the Identifying Users page, select objectGUID from Source Anchor.
Verify the Active Directory Synchronization and activate the Office 365 licensing for unlicensed but synchronized users.
Log in to the domain-joined computer where you have installed the following components:
Microsoft Online Services Sign-in Assistant
Microsoft Azure Active Directory Module for Windows PowerShell
Azure AD Connect tool
Launch Windows Powershell and then run the following command to connect to your Office 365 tenant:
Connect-MsolService
Run the following command to verify whether your Office 365 domain is federated:
get-msoldomain -domain samplecompany.com
In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:
Set-MsolDomainAuthentication –DomainName samplecompany.com -Authentication Managed
Set the identity provider details in the PowerShell variables as follows:
$dom="fully_qualified_domain_name"
For example, $dom="samplecompany.com"
$uri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"
$url="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"
$logoutUrl="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"
$protocol="SAMLP"
$cert="paste the signing certificate that you have saved in a notepad file"
Run the following command to convert your Office 365 domain to Federated authentication:
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert
Run the following command to verify the federation settings of your Office 365 domain:
Get-MsolDomainFederationSettings -domain samplecompany.com
On the Microsoft Office page, log in with your credentials.
The page redirects to the Advanced Authentication SAML Login page.
Select the preferred chain for authentication.
You must pass all methods in the chain to authenticate successfully.