Office 365 application integration

This topic covers how to integrate the Office 365 application in the SecureAuth® Identity Platform to securely allow the right user access to Office 365 applications in your organization.

  1. On the left side of the Identity Platform page, click Application Manager.

    office_365_app_001_19_07.png
  2. Click Add an Application.

    The application template library appears.

    office_365_app_002_19_07.png
  3. From the list of application templates, search and select Office 365.

    office_365_app_003_19_07.png
  4. On the Applications Details page, set the following configurations.

    Application Name

    Name is prefilled by default; you can optionally change the application name. This displays on the Application Manger list and on the Application Settings page.

    Application Description

    Enter descriptive name about this application integration.

    Upload logo

    Optional. Click Upload to change the logo.

    Authentication Policy

    Select the login authentication policy for this application.

    Data Stores

    Enter the data stores to to authenticate and allow user access for this application. Start typing to bring up a list of data store names. You can enter more than one data store.

    Groups

    Use one of the following options:

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to this application.

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to this application.

    office_365_app_004_19_07.png
  5. Click Continue.

    The Connection Settings page appears.

    office_365_app_005_19_07.png
  6. In the Configure Connection section, set the following configuration.

    User ID Profile Field

    Select the property in your data store that is mapped to objectGUID.

    office_365_app_006_19_07.png
  7. In the WS-Federation section, set the following configurations.

    SecureAuth Public Hostname

    Enter the fully qualified domain name for your SecureAuth URL (for example, company.secureauth.identitysomething.com).

    For an on-prem deployment, this is the FQDN URL for the appliance. Otherwise, for a cloud-only deployment, this is the URL is provided to you by SecureAuth.

    O365 Login URL

    Optional. Enter the login URL to the Office 365 application.

    WS -Fed Version

    Select the WS-Fed specification version to which this application integration applies.

    Assertion will be valid for

    Indicate in hours and minutes, how long the assertion is valid for.

    The default setting is one hour, but for more sensitive application resources, the recommended value is between one to five minutes.

    Offset Minutes

    Indicate in minutes to account for the time differences among devices.

    IdP Signing Certificate

    Click Select Certificate, choose the IdP signing certificate to use and then click Select to close the box.

    IdP Signing Certificate Serial Number

    When you select an IdP signing certificate, the serial number populates this field.

    Signing Algorithm

    The signing algorithm digitally signs the SAML assertion and response.

    Choose the signing algorithm – SHA1 or SHA2 (slightly stronger encryption hash and is not subject to the same vulnerabilities as SHA1.)

    Sign WS-Fed Assertion

    Enable signing of the WS-Fed assertion to ensure assertion integrity when the assertion is delivered to the service provider (SP).

    Sign WS-Fed Message

    Enable signing of the WS-Fed message to ensure message integrity when the message is delivered to the service provider (SP).

    office_365_app_007_19_07.png
  8. In the WS-Trust Endpoints section, set the following configuration.

    Enable O365 Legacy Endpoints

    Move the slider On to enable the endpoints for the legacy version of Office 365.

    office_365_app_008_19_07.png
  9. In the WS-Federation Attributes section, set the following configurations.

    Attribute Name

    The WS-Federation attribute name from the directory to which identifies the user to the application.

    Data Store Property

    Select the data store property which maps to this directory attribute.

    For example, Authenticated User ID

    Namespace (1.1)

    The authorization URL to tell the application which attribute is being asserted.

    Format

    Encoding format for the login request. Valid values are:

    • Basic

    • URI

    • Unspecified

    • Base64 Encoded

    • Group List

    Filtered Group

    Optional. To parse the data different from the default settings, use default value of .*

    office_365_app_009_19_07.png
  10. Click Add Application.

    After saving the application, the Information for Service Providers page appears.

    office_365_app_010_19_07.png
  11. To complete the integration and establish a working connection with SecureAuth, provide the following information as required to the service provider.

    Login URL, Logout URL, IdP Issuer

    Click Copy to Clipboard to copy the Identity Platform realm information and paste it in the corresponding field on the service provider user interface, as required.

    IdP Signing Certificate

    Download the IdP Signing Certificate.

    PowerShell Script

    To federate the connection between the Identity Platform and the service provider, copy and run the PowerShell script.

    Example PowerShell script

    Connect-MsolService 
    $dom = "<O365 DOMAIN NAME>" 
    $ura = "https://company.initech.com/Secureauth20/webservice/wstrust.svc/2005/usernamemixed"
    $url = "https://company.initech.com/Secureauth20/" 
    $uri = "https://company.initech.com/Secureauth20" 
    $logouturl = "https://company.initech.com/Secureauth20/wsfedsignout.aspx" 
    $metadata = "https://company.initech.com/Secureauth20/webservice/wstrust.svc/mex" 
    $cert = "<CERT VALUE>" 
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated
     -PassiveLogOnUri $url -ActiveLogonUri $ura -MetadataExchangeUri $metadata -SigningCertificate 
    $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol WsFed

    The following are descriptions of the command lines in the script.

    Connect-MsolService

    Begins the process of the federating the connection.

    $dom="<O365 DOMAIN NAME>"

    Name of Office 365 domain.

    $ura="https://<SecureAuth Public Hostname>/SecureAuthRealm#/webservice/wstrust.svc/2005/usernamemixed"

    Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /webservice/ wstrust.svc/2005/usernamemixed. This URL specifies the endpoint used by active clients when authenticating with domains set up for SSO (identity federation) in Office 365.

    $url="https://<SecureAuth Public Hostname>/SecureAuthRealm#/"

    Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number. This is the URL where web-based clients are directed to when logging into Office 365. 

    $uri="https://<SecureAuth Public Hostname>/SecureAuthRealm#/"

    Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number.  This is the unique identifier of the domain in the Office 365 platform that is derived from the federation server. 

    Note

    The uri command and the WSFed/SAML Issuer in the Classic IdP Experience Web Admin must match exactly, including the trailing forward slash "/".

    $logouturl="https://<SecureAuth Public Hostname>/SecureAuthRealm#/wsfedsignout.aspx"

    Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /wsfedsignout.aspx.  This is the URL to which users are redirected to when logging out of Office 365. If you are using both IdP-initiated and SSO, and experience issues with logging in, then contact Support. 

    $metadata="https://company.initech.com/Secureauth20/webservice/wstrust.svc/mex"

    Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /webservice/wstrust.svc/mex. This URL specifies the metadata exchange endpoint used for authentication from rich client applications. 

    $cert="<CERT VALUE>"

    Defines the certificate value of the certificate used to sign tokens passed to Office 365 platform.  Replace the <CERT VALUE> with the actual value in a single line with no breaks or space. 

    To export the certificate:

    1. Export the SSL certificate in Base64 format.

    2. Using a text editor, open the exported certificate.

    3. Remove the Begin Certificate and End Certificate lines from the file.

    4. Remove all returns (CR-LF) so that the certificate value is one line of text with no formatting.

    command line

    Copy and run these commands in a single line; this configures Office 365 with the variables set in the previous lines. 

    Download Metadata

    To download the metadata file:

    1. Click Download Metadata.

    2. Enter the Domain name to the Identity Platform appliance URL or IP address.

      For example, https://secureauth.company.com or https://111.222.33.44

      office_365_app_011_19_07.png
    3. Click Download to get the configuration file.

    4. Upload the file to the service provider.

  12. Click Continue to Summary to review the application settings.

    office_365_app_012_19_07.png
  13. Click Back to Application Manager to find the application added to the list.