3.5 Integrate Advanced Authentication and Office 365 Using AD FS

Let us assume Reltic Data, Inc. wants to implement multi-factor authentication for their Office 365 using Active Directory Federation Services (AD FS). Their employees must use the corporate email address and succeed the multi-factor authentication to access Microsoft Office 365 suite.

This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this.

This example refers to the following user profiles:

  • Susan: An administrator of Reltic Data, Inc.

  • Sam: An employee of Reltic Data, Inc

Susan, an administrator, wants to enforce multi-factor authentication with the Card and Email OTP methods for Office 365. After multi-factor authentication is implemented, Sam needs to authenticate both methods to access Office 365 successfully.

3.5.1 Prerequisites

Ensure that you meet the following prerequisites:

  • The Advanced Authentication server is installed. For more information, see Installing Advanced Authentication.

  • Add Active Directory of Reltic Data, Inc. as a repository in Advanced Authentication from where the user details are fetched for validation. For more information, see Add a Repository.

  • Download the Office 365 SAML metadata from https://<adfs_hostname>/FederationMetadata/2007-06/FederationMetadata.xml.

    In this example, https://adfs.saml.aaf-o365-int-tk/FederationMetadata/2007-06/FederationMetadata.xml.

  • Identify and obtain ideal contactless card readers and cards for employees. The employee can use the card to enroll and authenticate to the O365. For more information, see Supported Card Readers and Cards.

  • The Advanced Authentication Device Service is installed on the workstation. For more information, seeInstalling and Upgrading Device Service.

  • The parameters specific to the card reader are configured in the Device Service. For more information, see Configuring the Card Settings.

3.5.2 Administrator Tasks

Susan, the administrator, needs to perform the following tasks:

Configure Methods

  1. Log in to Advanced Authentication Administration Portal as an Administrator.

  2. The Card and Email OTP methods work as expected with the pre-defined value.

    For more information, see Card and Email OTP.

Create a Chain

Perform the following steps to create a chain with Card and Email OTP methods:

  1. Click Chains > New Chain in the Advanced Authentication Administration portal.

  2. Specify the following details:

    Field

    Action

    Name

    Specify a name for the chain.

    NOTE:Ensure to remember the name of the chain for further use. In this example, we named the chain as Card+ Email OTP.

    Methods

    Select the Card and Email OTP methods to add to the chain.

  3. Click Save.

Create SAML2 Event

  1. Click Events > New Event to add a new event.

  2. Specify the following details:

    Field

    Action

    Name

    Specify a name for the event.

    Event type

    Select SAML2.

    Chains

    Select the required chains. In this example, we select Card+ Email OTP chain.

  3. Click Choose File and upload the saved XML file.

  4. Set Send Immutable Id (User object Id) as Name ID (required for Microsoft Office 365) to ON.

  5. Click Save.

Configuring Policies

Policies contain configuration settings for the Advanced Authentication methods, events, and so on. Perform the following steps to configure the policy:

Configuring Web Authentication Policy

  1. Click Policies > Web Authentication.

  2. Specify a valid DNS name of an Advanced Authentication server in the Identity Provider URL field.

    For example, https://caf.realticsol.cf/

  3. Click Save.

Configuring Mail Sender Policy

  1. Click Policies > Mail sender to add a configure the Email OTP method

  2. Specify the following details:

    Field

    Action

    Host

    Specify the outgoing mail server name.

    Port

    Specify the port number.

    Username

    Specify the username of an account that is used to send the authentication email messages.

    Password

    Specify the password for the specified account.

    Sender email

    Specify the email address of the sender.

  3. Click Save.

Enable Multi-Factor Authentication to Microsoft Office 365

To enable single sign-on to Office 365, perform the following tasks:

Enabling Directory Synchronization in Office 365

  1. 1. Log in to the domain-joined computer where you have installed the following components:

    • Microsoft Online Services Sign-in Assistant.

    • Microsoft Azure Active Directory Module for Windows PowerShell.

    • Azure AD Connect tool.

  2. Launch Azure AD Connect.

  3. In Express Settings Wizard, click Use express settings.

  4. In User sign-in, select Federation with AD FS.

  5. Click Next.

  6. Specify the Azure AD global administrator credentials in Connect to Azure AD.

    Wait to connect to Microsoft Online

  7. Click Add Directory.

  8. Select Create new AD account.

  9. Specify the enterprise credentials and click OK.

  10. In Domain/OU Filtering, select the following and click Next.

    1. Select Sync selected domains and OUs.

    2. Select only O365.

  11. In Credentials, specify the domain administrator credentials and click Next.

  12. In AD FS Farm, perform the following steps and click Next:

    1. Click Browse and select the SSL certificate file from the local drive.

    2. Specify the password for certificate.

  13. In Federation server, add the server where to install AD FS click Next.

  14. In Service account, specify the AD FS account credentials and click Next.

  15. In Azure AD Domain, select your domain and click Next.

  16. In Ready to Configure, click Install.

  17. Verify the Active Directory synchronization.

Making the Corresponding Changes in ADFS

  1. Open the ADFS management console.

  2. Click Claims Provider Trusts > Add Claims Provider trust.

  3. Click Start.

  4. Click Import data about the claims provider published online or on a local network.

  5. Specify federation metadata address.

    In this example, https://caf.realticsol.cf/osp/a/TOP/auth/saml2/metadata.

  6. Click Next.

  7. Specify the Display name.

  8. Click Next.

  9. Select Open the Edit Claim Rules dialog for this claims provider when the wizard closes.

  10. Click Close.

  11. Right-click the Display name and select Edit Claim Rules.

  12. Click Add Rule.

  13. In Claim rule template, select Send Claims Using a Custom.

  14. Click Next.

  15. Specify the Claim rule name.

  16. Paste the following in Custom rule:

    c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

  17. Click OK.

3.5.3 End User Tasks

Sam, an employee, must perform the following actions to access Office 365.

NOTE:The Email OTP method enrolls automatically. If you need to enroll with another email ID, see Email OTP.

Enrolling Card Method

Before enrolling the Card authenticator, ensure that the card reader is connected to the computer.

  1. Log in to the Advanced Authentication Self-Service portal.

  2. Click the Card icon in Add Authenticator.

    A message Click "Save" to begin is displayed.

  3. (Optional) Specify a comment related to the Card authenticator in Comment.

  4. (Optional) Select the preferred category from the Category.

  5. Click Save.

    A message Waiting for the card is displayed.

  6. Tap a card on the reader.

    A message Authenticator "Card" has been added is displayed.

Authenticating on Office 365

  1. Launch http://office.com/.

  2. Click Sign In.

  3. Specify the email address of the Office 365 account.

    The page redirects to the Advanced Authentication server authentication screen.

    NOTE:Ensure the card reader is plugged into the workstation.

  4. Tap the card on the reader.

  5. Check your email. You will receive an email with an OTP.

  6. Specify the OTP from Email in Password.

  7. Click Login.