Microsoft Office 365 - WS-Federation SSO Configuration - RSA Ready Implementation Guide
7 months ago
Originally Published: 2019-06-19

This article describes how to integrate Cloud Access Service (CAS) with Microsoft Office 365 using WS Federation SSO agent.

  

Configure CAS

Perform these steps in this section to configure CAS as an SSO Agent WSFederation STS/IdP to Microsoft Office 365.
Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Navigate to Applications > Application Catalog, search for Microsoft Office 365 STS.
  3. Click Add to add the connector.

  1. On the Basic Information page, enter a name for the Service Provider in the Name field.

  1. In the Menu Url field, replace <RP_ENTITY_ID> with your Relying Party ID, which is urn:federation:MicrosoftOnline

  1. Take note of the WS-Federation Identity Provider (Issuer) configurations, and go to the WS-Federation Response Signature section.

  1. You must import a private/public key pair to sign and validate SAML assertions. If you don’t have one readily available, follow the following steps to generate a certificate bundle. Otherwise, continue to the next step.
    • Click the Generate Certificate Bundle button in the SAML Response Signature section.
    • Enter a common name for your Identity Router domain in the Common Name (CN) field.
    • Click Generate and Download, save the certificate bundle ZIP file to a secure location, and extract its contents. The ZIP file will contain a private key, a public certificate and a certificate signing request.

  1. Verify the Relying Party settings and go to the Claims section.

  1. In the Claims section, select the following claims value:  
    1.  Claim A
      • Source >Identity Source
      • Claim Name > Immutable ID
      • Identity Source > Select your Identity Source that will be used.
      • Property > objectGUID
    1.  Claim B
      • Source > Identity Source
      • Claim Name > UPN
      • Identity Source > Select your Identity Source that will be used.
      • Property > userPrincipalName

  1. Click Next Step.
  2. On the User Access page, select the Access Policy the identity router will use to determine which users can access the Microsoft O365 service provider.
  3. Click Next Step.

  1. On the Portal Display page, configure the portal display and other settings.
  2. Click Save and Finish.

  1. Click Publish Changes and wait for the operation to complete.

  1. After publishing, your application is now enabled for SSO. 

 

Configure Microsoft O365

Perform these steps to configure Microsoft Office 365.
Procedure

  1. Log in to Microsoft O365 with admin credentials at https://office.com
  2. Click the Admin icon from the left panel.

  1. You will be redirected to Microsoft 365 admin center.
  2. Go to Settings > Domains to verify your custom domain name.

  1. After your domain is verified, click Identity from the left panel. Microsoft Entra admin center page will open automatically.

  1. Under Identity Settings > Domain names, ensure that the domain previously entered is listed on the custom domain names page. If not, click Add Custom Domain to verify your domain.

  1. Run Windows PowerShell as an administrator and connect to your Office 365 instance with the command below. You need to log in with your Office 365 Tenant administrator account. Note: this admin account should be in a separate domain than the one that will be federated (e.g. a member of the default domain that is provided by Microsoft). 

Connect-MgGraph

  1. Retrieve all domains for the company (verified or unverified) to identify the domain which should be federated.

Get-MgDomain

  1. Run the following commands   in a PowerShell environment, most of the values come from RSA CAS Authentication Service configuration section:
    1. domain: Enter the domain identified in the previous step for which you want to enable SSO.
    2. brandName: Provide a name to identify your Identity Provider (e.g., RSA – Relying Party).
    3. IssuerUri: Use the Identity Provider Entity ID configured in CAS.
    4. LogOnUri: Use the Identity Provider Entity ID configured in CAS.
    5. Protocol: Enter “saml”.
    6. certData: Configure the signing certificate by following these steps:
      • Download the certificate and save it to a folder (e.g., C:\Users\my.name\Downloads).
      • Use the following PowerShell commands to process the certificate and assign it to the certData variable.
      • If entering the command manually, ensure the character in "r|n" is a backtick, not a single quote

  $cert "C:\Users\my.name\Downloads\IDPSigningCertificate.pem"
  $certData $(Get-Content -Path $cert -Raw) -replace"`r|`n|-----BEGIN CERTIFICATE-----|-----END CERTIFICATE-----",""

  • Note: When using these variables, ensure you include the $ symbol before the variable name (e.g., $domain, $brandName, etc.).

  1. After defining the parameters, issue the following command. A successful run of command should not return any errors.

New-MgDomainFederationConfiguration -DomainId $domain -DisplayName $BrandName -SigningCertificate $certData -IssuerUri $IssuerUri -PassiveSignInUri $LogOnUri -PreferredAuthenticationProtocol $Protocol-FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp" 

  1. After applying the new domain federation configuration, you will be prompted to provide the internal domain federation ID. To retrieve this value, run the following command: 

Get-MgDomainFederationConfiguration -DomainId "yourdomainname.com"

This will return the internal federation ID required for the configuration process.

  1. To verify if the domain is configured successfully, run the following command with your domain name and the result must show the same values as used in the script variables above.

Get-MgDomainFederationConfiguration -DomainId $domain| fl *

 

Test your application integration

  1. Go to Office 365 Sign in page.
  2. Enter the email of a test user that utilizes the newly federated domain, and you will be redirected to the Sign in portal.

  1. Enter your User ID and Password.
  2. After successful authentication, you will be redirected to your Office 365 landing page.

  • Ensure that the Microsoft Graph PowerShell SDK is installed and that all necessary permissions have been granted before running these commands.
  • Office 365 Single Sign-On (SSO) can only be enabled for domains that have been verified in Microsoft Entra ID.
  • SSO is not supported for default “onmicrosoft.com” domains provided by Microsoft.
  • If your organization doesn't yet have a custom domain for Office 365, one must be purchased to enable SSO
  • When configuring the signing certificate in PowerShell, use the backtick character (`), typically located just to the left of the “1” key on your keyboard.
  • If you need to modify any configuration settings made in Windows PowerShell following the federation of the necessary domain, utilize the command "Update-MgDomainFederationConfiguration " rather than "New-MgDomainFederationConfiguration " as the domain has already been federated.
  • All the users that will be authenticated via SAML must have an immutableID set. Users that do not show an ImmutableID, will not be able to log in using SAML.

Get-MgUser -All -Property UserPrincipalName,OnPremisesImmutableId | Select-Object UserPrincipalName,OnPremisesImmutableId 

  • You can revert-back to non-federated authentication by entering the following command: 

Update-MgDomain -DomainId "yourdomainname.com" -BodyParameter @{AuthenticationType="Managed"}

 

The configuration is complete.

 

Related Articles

Trending Articles

Don't see what you're looking for?