Office 365 Integration Guide

Introduction
Use this guide to enable 2-Factor Authentication for external user access and desktop Single Sign-on (SSO) for internal user
access via WS-Federation and WS-Trust to Microsoft Office 365 web and thick applications.

Prerequisites

SecureAuth IdP Prerequisites

1. Create two (2) new realms for the Office 365 integration (Realm 1 and Realm 2)

2. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

Overview the description of the realm and SMTP connections must be defined
Data an enterprise directory must be integrated with SecureAuth IdP
Workflow the way in which users will access this application must be defined
Registration Methods the 2-Factor Authentication methods that will be used to access this page (if any)
must be defined

Office 365 Prerequisites

1. Have an Office 365 account

2. Activate Office 365 Account and Tenant Welcome to the new Office, Office 365 Developer Site, and Office
365 Readiness Wizard

3. Register a valid domain with Office 365

Add a domain to Office 365
1. Log into Office 365 account with the .onmicrosoft.com admin account

2. Click Management, then Domains

3. Click Add a domain

4. Enter the Domain and click Next

5. Verify the Domain per instructions for the domain registrar

6. Select the appropriate services

7. Configure the DNS records on the domain registrar for other services

Click here for more information

Leave the .onmicrosoft.com domain as the primary domain for the account as making the new
domain the default causes errors when using the Set-MsolDomainAuthentication command
(PowerShell Configuration)

4. Have a Microsoft Active Directory Domain Controller with the same domain suffix as that registered with Office 365
How To: Add UPN Suffixes to a Forest

5. Have Windows Identity Foundation (WIF) installed on the SecureAuth IdP appliance(s)

6. Have a domain-joined Windows Server for Directory Synchronization

7. Have a Windows Workstation or Server for Microsoft Online Services Module for Windows PowerShell

This is not required to be domain-joined

8. Have a publicly trusted SSL / signing certificate

A third-party certificate is required if using thick clients (Outlook, Lync, etc.)

SecureAuth IdP Configuration Steps

Follow these configuration steps for Realm 1

Data

1. In the Profile Fields section, map the userPrincipalName to a SecureAuth IdP Property (e.g. Aux ID 8)

2. Map the objectGUID to a SecureAuth IdP Property (e.g. Aux ID 9)

The objectGUID must be mapped to Aux ID 9 or Aux ID 10

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Workflow

3. In the SAML 2.0 Service Provider section, set the SP Start URL to https://login.microsoftonline.com/login.srf t
o enable SSO and to redirect users appropriately to access Office 365

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication

4. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication s
ection

5. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and
realm number in the address bar (Authorized/WSFedProvider.aspx)

6. A customized post authentication page can be uploaded, but it is not required

User ID Mapping

7. Select the SecureAuth IdP Property that corresponds to the directory field that contains the objectG
UID (Aux ID 9)

8. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format drop

down (default)

Select a different option if Office 365 requires it, which the Service Provider (SP) will provide

9. Select True from the Encode to Base64 dropdown

 SAML Assertion / WS Federation

10. Set the WSFed Reply To/SAML Target URL to https://login.microsoftonline.com/login.srf

11. Set the WSFed/SAML Issuer to https://SecureAuthIdPFQDN/SecureAuthIdPRealm1/ and

replace the values with the actual Fully Qualified Domain Name (FQDN) and the number of Realm 1,
e.g. SecureAuth1

The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the Office 365
side

12. Set the SAML Audience to urn:federation:MicrosoftOnline (case sensitive)

13. Set the SAML Offset Minutes to make up for time differences between devices

14. Set the SAML Valid Hours to limit for how long the WS-Federation assertion is valid

15. Select True from the Sign SAML Assertion dropdown

16. Select False from the Sign SAML Message dropdown

No configuration is required for the SAML Consumer URL or the SAML Recipient fields

17. Click Select Certificate to select the appropriate publicly trusted SSL / signing certificate

18. Provide the Domain in order to Download the Metadata File to send to Office 365 (if required)

SAML Attributes / WS Federation

19. Add IDPEmail as a WS-Federation Attribute in the Name field (Attribute 1)

20. Set the Namespace to http://schemas.xmlsoap.org/claims/UPN

21. Select Aux ID 8 (or the field that contains the userPrincipalName) from the Value dropdown

22. Add ImmutableID in the Name field (Attribute 2)

23. Set the Namespace to http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

24. Select Base64 Encoded from the Format dropdown

25. Select Aux ID 9 (or the field that contains the objectGUID) from the Value dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page
to avoid losing changes
 WS-Trust Endpoint Configuration

26. Click View and Configure WS-Trust endpoints

WS-Trust Host Name

27. Provide the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance
in the Host Name field

WS-Trust Endpoint Configuration

28. Check to enable the /2005/usernamemixed and the /2005/windowstransport Endp

oint Paths

Click Save once the configurations have been completed and before leaving the WS-Trust
Endpoints page to avoid losing changes

Forms Auth / SSO Token

29. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings
and to configure this realm for SSO

These are optional configurations

To configure this realm's token/cookie settings, follow these steps:
Forms Authentication

1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's
browser or device:

UseCookies enables SecureAuth IdP to always deliver a cookie

UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the
token in a query string
AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings
allow it
UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the
browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user
is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key
5. No changes are required in the Validati
on field, unless the default value does not
match the company's requirement

If a different value is required, select

it from the dropdown
6. No changes are required in the Decryption field, unless the default value does not
match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fiel

ds

Authentication Cookies

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout fro
m the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as

the session is open, and will expire once the browser is closed or the session
expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie,

or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms
Auth / SSO Token page to avoid losing changes

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration
 To configure this realm for Windows Desktop SSO, refer to Windows Desktop SSO
Configuration Guide

Follow these configuration steps for Realm 2

30. Create a New Realm from Existing and select the SecureAuth IdP realm number that corresponds to Realm 1 in this guide

This will duplicate Realm 1 to create Realm 2

Realm 2 should be identical to Realm 1, with these configuration steps added

Workflow

31. In the Workflow section, select Public Mode Only from the Public/Private Mode dropdown

32. Select UserName Only from the Authentication Mode dropdown

33. Select True from the User Impersonation dropdown

34. Select True from the Windows Authentication dropdown

Custom Front End

35. Select Token from the Receive Token dropdown

36. Select True from the Require Begin Site dropdown

37. Select Windows SSO from the Begin Site dropdown

38. WindowsSSO.aspx will auto-populate the Begin Site URL field

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Office 365 Configuration Steps

This is to be used as a general configuration guide, but may not fit every Office 365 environment

SecureAuth is not responsible for configuring the Office 365 application; however, these steps are included to assist
customers in preparing their Office 365 environment for the SecureAuth IdP integration
 Windows Azure AD for SSO
Office 365 utilizes Microsoft Windows Azure AD in the cloud to store user identities and can be used as a directory
store for MS CRM Online, Windows Intune, and Windows Azure.

Follow Microsoft's Single Sign-on Roadmap to configure Office 365 for SSO

Read Prepare for Single Sign-on to learn the benefits of SSO and what end-users will experience when
they connect from different locations

Be sure that the environment meets the requirements to enable SSO and verify that the Active Directory is
compatible with the SSO requirements

1. Prepare Active Directory by running the Microsoft Office 365 for Enterprises Deployment Readiness Tool

2. Set up and manage Active Directory Synchronization

Follow Configure Filtering for Directory Synchronization to limit the synchronization to a specific
organizational unit

3. Install the Microsoft Online Services Sign-in Assistant for IT Professionals

2003-2008 or 2012 only

Windows PowerShell

Install Microsoft Online Services Module for Windows PowerShell

1. Refer to Install Windows PowerShell for Single Sign-on with ADFS

Modules: 64-bit or 32-bit

2. Start Microsoft Online Services Module for Windows PowerShell

Configure Office 365 Domain Federation via PowerShell

Run these commands exactly in the order provided, and replace the "DomainName"
placeholder with the SecureAuth IdP Domain Name, the "SecureAuthIdPFQDN" placeholders
with the actual SecureAuth IdP Hostname, and the "SecureAuthIdPRealm1" and
"SecureAuthIdPRealm2" placeholders with the actual SecureAuth IdP realm being used
(SecureAuth1, SecureAuth2)

Place quotation marks around the links used, e.g. if the command requires $dom="DomainN
ame", then enter the domain name in quotes ($dom="secureauthdev.com")

Follow the table below to enter the PowerShell commands

The DomainName, SecureAuthIdPFQDN, SecureAuthIdPRealm1, and SecureAuthRealm2 placehol

ders need to be changed and are unique to every configuration

The SecureAuthIdPRealm1 and SecureAuthRealm2 placeholders will be replaced with Realm 1 and
Realm 2 numbers

1 Connect-MsolService
Function: The Connect-MsolService
cmdlet initiates a connection to the
online service
2 $dom="DomainName"
Function: The domain name
registered with Office 365 (see Prereq
uisites)

3 $ura="https://SecureAuthIdPFQDN/
SecureAuthIdPRealm2/webservice/
wstrust.svc/2005/usernamemixed"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 2, followed by /webservice/ws
trust.svc/2005/usernamemixed
This URL specifies the endpoint used
by active clients when authenticating
with domains set up for SSO (identity
federation) in Office 365
Example: "https://secureauth.securea
uthdemo.com/secureauth2/webservice
/wstrust.svc/2005/usernamemixed"

SecureAuthIdPFQDN and Se
cureAuthIdPRealm2 are
unique for every appliance

4 $url="https://SecureAuthIdPFQDN/S
ecureAuthIdPRealm1/"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1
This URL is to where web-based
clients are directed when signing into
Office 365
Example: "https://secureauth.securea
uthdemo.com/secureauth1/"
5 $uri="https://SecureAuthIdPFQDN/S
ecureAuthIdPRealm1/"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1
This is the unique identifier of the
domain in the Office 365 platform that
is derived from the federation server
Example: "https://secureauth.securea
uthdemo.com/secureauth1/"

The uri command and the WS

Fed/SAML Issuer in the
SecureAuth IdP Web Admin
must match exactly, including
the trailing forward slash "/"

6 $logouturl="https://SecureAuthIdPF
QDN/SecureAuthIdPRealm1/wsfedsi
gnout.aspx"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1, followed by /wsfedsignout.
aspx
This is the URL to where users are
redirected to sign out of Office 365

If using both IdP-initiated and

SSO and experience issues
logging in, contact Support

Example: "https://secureauth.securea
uthdemo.com/secureauth1/wsfedsigno
ut.aspx"
7 $metadata="https://SecureAuthIdPF
QDN/SecureAuthIdPRealm2/webser
vice/wstrust.svc/mex"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 2, followed by the metadata
location /webservice/wstrust.svc/me
x
This URL specifies the metadata
exchange endpoint used for
authentication from rich client
applications, such as Lync Online
Example: "https://secureauth.securea
uthdemo.com/secureauth2/webservice
/wstrust.svc/mex"

8 $cert="<CERT VALUE>"
Function: The variable containing the
Certificate Value of the certificate
used to sign tokens passed to the
Office 365 identity platform
Replace <CERT VALUE> with the
actual value

Export the certificate used in

the SecureAuth IdP Web
Admin for signing the
WS-Federation Assertion
1. Export the SSL certificate in
Base64 format
2. Open the exported
certificate in a text editor
(Windows Notepad or
Notepad++)
3. Remove the Begin
Certificate and End
Certificate lines from the file
4. Remove all returns (CR-LF)
so that the certificate value is
one line of text with no
formatting
 9 Set-MsolDomainAuthentication
-DomainName $dom -FederationBra
ndName $dom -Authentication
Federated -PassiveLogOnUri $url -A
ctiveLogonUri $ura
-MetadataExchangeUri $metadata -
SigningCertificate $cert -IssuerUri
$uri -LogOffUri $logouturl
-PreferredAuthenticationProtocol
WsFed
Function: This command configures
Office 365 with the variables set in
previous lines (above)

Verify that the Office 365 account is configured properly by entering the following into Azure PowerShell: Get-MsolDo
mainFederationSettings -DomainName <DomainName> and replace "<DomainName>" with the actual domain
name, e.g. Get-MsolDomainFederationSettings -DomainName secureauthdev.com

From there, review all of the information and confirm that the configuration is correct

If an error has been made, run this command to modify any variable that has been set incorrectly: Set-Msol
DomainFederationSettings

For example, changing the $ura variable and then running the Set-MsolDomainFederationSettings
-ActiveLogOnUri $ura changes the ActiveLogOnUri value to the new $ura variable

PowerShell Issues and Federation Settings

If the Set-MsolDomainAuthentication command is not working in PowerShell, run PowerShell
without the DomainName $dom and Authentication Federated variables; and from there,
PowerShell prompts for the domain name and Federated domain
Verify the Federation settings on the domain by running the command Get-MsolDomainFederati
onSettings -DomainName <DomainName>
A certificate issued from a trusted source may be required; and if adding a certificate from a trusted
source, use the certificate console to modify the permissions on the new certificate and add Netwo
rk Service read permissions to the Private Key

Troubleshooting

Resolving Authentication Issues Using Firefox

If there are issues with the authentication after being passed through SecureAuth IdP, use Firefox with SAML Tracer
to view the POST to Office 365. Within the POST, identify the UPN, ImmutableID, and NameID in the Parameters tab.
Use the Microsoft Online PowerShell to login and check those values against the user by running Get-MsolUser
-UserPrincipalName user@company.com | fl *

Update Federated Domain Properties after Federation

If the Federated Domain Properties (LogOutUri, MetadataExchangeUri, etc.) need updating, update each of these
using the Set-MsolDomainFederationSettings (MSDN Technet Details). Additionally, verify the current Federated
Domain settings by using the Get-MsolDomainFederationSettings.

Resolved Issues: Windows Identity Foundation not found error message

Related Docs
WS-Trust Request Blocking