...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
%path%
...
...
...
...
...
...
...
...
...
...
...
...
In the Initiating URL field, enter this URL, changing empowersso.com to your domain:
Code Block |
---|
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=empowersso.com |
In the Logout URL field, enter this URL:
Code Block |
---|
https://login.microsoftonline.com/logout.srf |
...
Note |
---|
If you have a space in the name of the account store, you need to remove it in the EmpowerID Management Console before federating. |
...
To create an SSO application for Office 365
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Next, establish trust between Office 365 and EmpowerID as described below.
To establish trust between Office 365 and EmpowerID
...
Code Block | ||
---|---|---|
| ||
Connect-MsolService |
...
Note |
---|
This command is only necessary if the account was created in Office 365. Do not run this command if you are using DirSync. |
Code Block | ||
---|---|---|
| ||
Get-MsolUser -DomainName YourDomainName | where {$_.ImmutableId -eq $null -OR $_.ImmutableId -eq ''} | Set-MsolUser -ImmutableId {[guid]::NewGuid().ToString()} |
...
To get all licensed users and their immutable IDs, run this command:
Code Block | ||
---|---|---|
| ||
Get-MsolUser -all | where {$_.isLicensed -eq $true} | select-object userprincipalname, immutableid |
...
Code Block | ||
---|---|---|
| ||
$dom = "empowersso.com"
$FederationBrandName = "empowersso.com"
$IssuerUri = "https://sso.empowersso.com/EmpowerIDWebIdPWSFederation/365/Office365"
$ActiveLogOnUri = "https://sso.empowersso.com/EmpowerIDWebServices/Office365ActiveSTS.svc"
$mex = "https://sso.empowersso.com/EmpowerIDWebServices/Office365ActiveSTS.svc/mex"
$LogOffUri = "https://sso.empowersso.com/EmpowerIDWebIdPWSFederation/365/Office365"
$PassiveLogOnUri = "https://sso.empowersso.com/EmpowerIDWebIdPWSFederation/365/Office365"
$cert = "MIIC5jCCAc6gAw..............QKgUSV0rciLpDOYiqAwbP6D" |
Info |
---|
The values for the ActiveLogOnUri, LogOffUri, and PassiveLogOnUri are the same and point to the Issuer you set up when you created the WS-Fed connection above. The value set for the IssuerURI does not need to be a resolvable DNS; however, it does need to be unique in Office 365 as an IssuerURI cannot be used for more than one connection/tenant . Also, when setting the value for the certificate, be sure to pass in the string without any line breaks, using Base-64 encoding. |
...
If you received a DefaultDomainUnsetException error when running the above PowerShell cmdlet, you need to specify the domain as the default domain. To fix the error run the below cmdlet. Additionally, you will need to run the cmdlet each time you add a tenant to set the default domain for those tenants. Be sure to replace "littleblueberry.onmicrosoft.com" with the fully qualified domain name your Office 365 account was given by Microsoft when first created.
Code Block | ||
---|---|---|
| ||
set-msoldomain -name littleblueberry.onmicrosoft.com -IsDefault |
...
Code Block | ||
---|---|---|
| ||
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $PassiveLogOnUri -SigningCertificate $cert -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -MetadataExchangeUri $mex -LogOffUri $LogOffUri |
...
If necessary, you can revert the domain from federated to managed by using the following PowerShell cmdlet.
Code Block | ||
---|---|---|
| ||
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed |
...
Code Block | ||
---|---|---|
| ||
Set-MsolDomainFederationSettings -DomainName $dom -FederationBrandName $dom -IssuerUri $IssuerUri -LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri -ActiveLogOnUri $ActiveLogOnUri -MetadataExchangeUri $mex -SigningCertificate $cert |
...
Code Block | ||
---|---|---|
| ||
MSOnlineExtended\Get-MsolDomainFederationSettings |
...
Code Block | ||
---|---|---|
| ||
Get-CsOAuthConfiguration |
...
Code Block | ||
---|---|---|
| ||
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed |
...
Code Block | ||
---|---|---|
| ||
Get-PSSession|Remove-PSSession |
Info |
---|
If you are using Skype for Business, please see the Configuring Skype for Business Online topic for instructions. |
To test the Office 365 SSO Connection
...