Unable to render embedded object: File (Emp18Notice.png) not found.
Skip to end of banner
Go to start of banner

Setting up SSO with Office 365

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA  /  Configuring SSO Connections / Service Provider Connections  /  Current: Setting up SSO with Office 365


The EmpowerID SSO framework allows you to federate EmpowerID with Office 365 without requiring you to set up ADFS or DirSync. In this scenario, the EmpowerID STS replaces ADFS, making EmpowerID the identity provider for your organization's Office 365 services.


If Windows Azure AD Module for Windows PowerShell and MSOL Sign-In Assistant are already installed on your EmpowerID server, you must remove them before installing the newer versions.


Prerequisites

You must have a licensed corporate Office 365 account and connect it to EmpowerID.

You must install the following modules in this order on the machine on which you configure the SSO Connection.

  1. Windows Management Framework 5.1 
    This version provides functionality that EmpowerID uses to communicate with Office 365, including the newest version of Windows PowerShell.

  2. To verify the version, in Powershell, run 
    $PSVersionTable.PSVersion
    The version must be Major 5 Minor 0 or higher.

  3. Windows Azure AD Module for Windows PowerShell Version 1.1 
    This provides you with the Office 365 cmdlets necessary for administering Office 365.

  4. After installing Windows Azure AD Module for Windows PowerShell Version 1.1, in PowerShell, run
    Save-Module -Name MSOnline -Path %path%
    replacing %path% with the desired path.

  5. If you see these messages, enter Y for both.
    • PowerShellGet requires NuGet provider version '2.8.5.201' or newer
    • You are installing the modules from an untrusted repository

  6. Once finished, in PowerShell, run
    Import-Module MSOnline

  7. After importing the module, to confirm the version, run
    Get-Module MSOnline
    The version must be 1.1.166.0or higher.


This topic describes how to federate EmpowerID with Office 365.


After connecting to Office 365, but before federating it with EmpowerID, it is recommended that the Office 365 users for the federated domain update their EmpowerID passwords. This ensures that their EmpowerID Person does not become locked out for a password mismatch between their EmpowerID Person password and an Office 365 password that is saved in a rich client application such as Outlook or Lync.

To create an SSO application for Office 365

  1. In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
  2. From the Actions pane of Application Manager, click the Create Application action. 



  3. This opens the Application Details form, which contains various tabs and fields for creating the application.
  4. From the General tab of the Application Details form, do the following:
  5. Type an appropriate name, display name and description for the application in the Name, Display Name and Description fields, respectively.
  6. Icon - Type ~/Images/AppLogos/office-365.png in this field. This is the path to the Office 365 image provided by EmpowerID. Users with access to the application will see this image representing Office 365 in their Personal Applications page of the EmpowerID Web application.
  7. Full URL (Exact Match Path) - Leave this field blank as it is not used for Office 365.
  8. Allow Access Requests - Specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
  9. Allow Claim Account - Specify whether to allow users to claim an account in the application from the IT Shop.
  10. Allow Request Account - Specify whether to allow users to request an account in the application. When this option is selected andAllow Access Requests is selected, users can request an account in the application.
  11. Login Is Email Address (Receive OTP to Claim) - Select this option. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID and is used by EmpowerID to send a one-time password to users claiming an account.
  12. Make me the Application Owner - Specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
  13. Configure Advanced Claim and Request Account Options - If you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked the application's (internal to EmpowerID) account directory, then select this option and provide the appropriate information.
  14. Click the Single Sign-On tab of the form, select WS-Federation from the Single Sign-On Connection Type drop-down and then tick Create a New WS-Fed Connection.
  15. In the WS-Federation Connection Information section that appears, do the following:
  16. Select Default SSO Connection Settings from the WSFederation Application Template drop-down.
  17. Type Office365 in the Display Name field.
  18. Type a description for the connection in the Description field.
  19. In the Issuer field, type the value that best represents the issuer of your Office 365 WS-Fed connection, such as empowerid:mydomain.office365, substituting mydomain with your domain.
  20. Type https://sso.empoweriam.com/EmpowerIDWebIdPWSFederation/Go365/Office365 in the Initiating URL field, where sso.empoweriam.com is the FQDN or DNS alias of your EmpowerID Web server and Office365 is the display name of the WS-Fed connection.
  21. Type your domain in the Home Realm field.
  22. In the Relying Party Trust section of the form, do the following:
  23. Type urn:federation:MicrosoftOnline in the Absolute Uri field.
  24. Select the certificate used to sign assertions from the Signing Certificate drop-down.
  25. Click the Users tab and select the Office 365 account store you configured for your environment from the Select existing Account Directory drop-down. EmpowerID uses this directory to map your Office 365 users with their corresponding EmpowerID Persons. Please note that you must add this account store to EmpowerID before it will appear in the drop-down.
  26. Click Add to cart. Click the shopping cart located at the top of the page and in the Cart dialog that appears, type a reason for creating the application and then click Submit. After EmpowerID creates the application, click the Find Application link in the breadcrumbs at the top of the page.
  27. Search for the Office 365 application you just created and then click the Display Name link for it . 
  28. This directs you to the View One page for the application. View One pages allow you to view and manage information about a particular resource object.
  29. Expand the Owners accordion and do the following as needed to make someone an owner of the application. Owners have the ability to manage the application.
  30. Type the name of the person who is to be the owner in the Enter name to add field and then click the tile for that person.
  31. Click Submit.
  32. Expand the Who Has Access To Application accordion and do the following to ensure all users with an Office 365 account can access the application:
  33. Select Business Role and Location from the Assignee Type drop-down.
  34. Click the Add (+) button on the Assignee grid.
  35. In the Business Role pane of the Grant Access dialog, search for and select Any Role.
  36. In the Location pane of the Grant Access dialog, search for and select Anywhere.
  37. Select Viewer from the Access Level drop-down.
  38. Click Save.

Next, set the Public DNS for your server to match the domain name you are federating in Office 365 as described below.If the two already match you can skip ahead to Configuring a Trusted Endpoint for the SSL certificate used in your EmpowerID deployment.

To configure an EmpowerID server with a DNS Alias

This is an optional step that is only required when the DNS for your server and the domain name you registered in Office 365 are not the same. These values must match for SSL endpoints to function correctly. By setting a DNS, you are directing the EmpowerID services to ignore the machine's FQDN and use the Public DNS in its place.

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the EmpowerID Server Details page by expanding Admin > EmpowerID Servers and Settings and clicking EmpowerID Servers.
  2. From the EmpowerID Server Details page, click the EmpowerID Servers tab and search for the server whose role you want to set.
  3. Click the Edit button for that server.
  4. In the dialog that appears, enter the DNS Alias in the PublicDns field and then click Save.
  5. Restart the EmpowerID services on that server.

To export the EmpowerID Certificate in base64-encoding format

  1. From the server with your certificate, open the console root with the certificates snap-in (usually named Console 1). If you do not have the console configured with the certificates snap-in, open MMC and add the snap-in.
  2. From Console 1, expand the Certificates (Local Computer) > Personal nodes and then click Certificates.
  3. From the Personal certificates store, right-click the certificate you are using in your EmpowerID deployment and select All Tasks > Export from the context menu.
  4. In the Certificate Export Wizard that appears, click Next.
  5. Select No, do not export the private key and click Next.
  6. Select Base-64 encoded X.509 (.CER) and click Next.
  7. Select an export location, naming the exported certificate accordingly and click Next.
  8. Click Finish to complete the export.
  9. Open the exported certificate in a text editor and remove the first and last lines (----BEGIN CERTIFICATE----and ----END CERTIFICATE----).
  10. Remove all spaces and line breaks so that the certificate appears on one line.

Next, establish trust between Office 365 and EmpowerID as described below.

To establish trust between Office 365 and EmpowerID

  1. From the Start menu, open the Windows Azure AD Module for Windows PowerShell command window and type Connect-MsolService in the command window to connect to Microsoft Online.
  2. In the Enter Credentials window that appears, type the username and password for a global administrator and click OK.
  3. Once you have connected, run the following command to set the ImmutableID on all Office 365 accounts that have the domain specified in the command. Be sure to replace YourDomainName with your domain name.
  4. Next, set the following variables at the PowerShell prompt for your domain, the federation endpoints and the signing certificate. The following example shows what the values for the variables looked like for our configuration. You need to replace the values with those specific to your environment. For example, the name of our domain is "myempowerid.com," so the value of $dom and $FederationBrandName is "myempowerid.com."
  5. Use the below cmdlet to set the Federation Authentication Mode to WS-Fed for the Office 365 domain. The cmdlet should be entered as one line.
  6. Use the following cmdlet to update the Office 365 Domain with the federation settings. The cmdlet should be entered as one line.
  7. Run the following cmdlet to verify your settings:
  8. Run the following cmdlet to retrieve the Open Authorization (OAuth) configuration settings currently in use in your organization:
  9. Run the following cmdlet to enable Modern Authentication:
  10. When finished run the following cmdlet to close your session:


If you are using Skype for Business, please see the Configuring Skype for Business Online topic for instructions.

To test the Office 365 SSO Connection

  1. From your Web browser navigate to the login for Office 365 and enter your username.
  2. click the Password field. You should see a message appear stating that Office 365 is redirecting you to your organization’s sign-in page.
  3. Log in to the EmpowerID Web application as you normally would. The username entered should be the same as that used for accessing Office 365.
  4. EmpowerID verifies your identity and redirects you back to Office 365.




Related Content




  • No labels