# Office 365 application integration

This topic covers how to integrate the Office 365 application in the SecureAuth® Identity Platform to securely allow the right user access to Office 365 applications in your organization.

1. On the left side of the Identity Platform page, click Application Manager.

The application template library appears.

3. From the list of application templates, search and select Office 365.

4. On the Applications Details page, set the following configurations.

5. Click Continue.

The Connection Settings page appears.

6. In the Configure Connection section, set the following configuration.

 User ID Profile Field Select the property in your data store that is mapped to objectGUID.
7. In the WS-Federation section, set the following configurations.

 SecureAuth Public Hostname Enter the fully qualified domain name for your SecureAuth URL (for example, company.secureauth.identitysomething.com).For an on-prem deployment, this is the FQDN URL for the appliance. Otherwise, for a cloud-only deployment, this is the URL is provided to you by SecureAuth. O365 Login URL Optional. Enter the login URL to the Office 365 application. WS -Fed Version Select the WS-Fed specification version to which this application integration applies. Assertion will be valid for Indicate in hours and minutes, how long the assertion is valid for.The default setting is one hour, but for more sensitive application resources, the recommended value is between one to five minutes. Offset Minutes Indicate in minutes to account for the time differences among devices. IdP Signing Certificate Click Select Certificate, choose the IdP signing certificate to use and then click Select to close the box. IdP Signing Certificate Serial Number When you select an IdP signing certificate, the serial number populates this field. Signing Algorithm The signing algorithm digitally signs the SAML assertion and response.Choose the signing algorithm – SHA1 or SHA2 (slightly stronger encryption hash and is not subject to the same vulnerabilities as SHA1.) Sign WS-Fed Assertion Enable signing of the WS-Fed assertion to ensure assertion integrity when the assertion is delivered to the service provider (SP). Sign WS-Fed Message Enable signing of the WS-Fed message to ensure message integrity when the message is delivered to the service provider (SP).
8. In the WS-Trust Endpoints section, set the following configuration.

 Enable O365 Legacy Endpoints Move the slider On to enable the endpoints for the legacy version of Office 365.
9. In the WS-Federation Attributes section, set the following configurations.

 Attribute Name The WS-Federation attribute name from the directory to which identifies the user to the application. Data Store Property Select the data store property which maps to this directory attribute.For example, Authenticated User ID Namespace (1.1) The authorization URL to tell the application which attribute is being asserted. Format Encoding format for the login request. Valid values are:BasicURIUnspecifiedBase64 EncodedGroup List Filtered Group Optional. To parse the data different from the default settings, use default value of .*

After saving the application, the Information for Service Providers page appears.

11. To complete the integration and establish a working connection with SecureAuth, provide the following information as required to the service provider.

Login URL, Logout URL, IdP Issuer

Click Copy to Clipboard to copy the Identity Platform realm information and paste it in the corresponding field on the service provider user interface, as required.

IdP Signing Certificate

PowerShell Script

To federate the connection between the Identity Platform and the service provider, copy and run the PowerShell script.

Example PowerShell script

Connect-MsolService
$dom = "<O365 DOMAIN NAME>"$ura = "https://company.initech.com/Secureauth20/webservice/wstrust.svc/2005/usernamemixed"
$url = "https://company.initech.com/Secureauth20/"$uri = "https://company.initech.com/Secureauth20"
$logouturl = "https://company.initech.com/Secureauth20/wsfedsignout.aspx"$metadata = "https://company.initech.com/Secureauth20/webservice/wstrust.svc/mex"
$cert = "<CERT VALUE>" Set-MsolDomainAuthentication -DomainName$dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri$url -ActiveLogonUri $ura -MetadataExchangeUri$metadata -SigningCertificate
$cert -IssuerUri$uri -LogOffUri $logouturl -PreferredAuthenticationProtocol WsFed The following are descriptions of the command lines in the script. Connect-MsolService Begins the process of the federating the connection. $dom="<O365 DOMAIN NAME>"

Name of Office 365 domain.

$ura="https://<SecureAuth Public Hostname>/SecureAuthRealm#/webservice/wstrust.svc/2005/usernamemixed" Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /webservice/ wstrust.svc/2005/usernamemixed. This URL specifies the endpoint used by active clients when authenticating with domains set up for SSO (identity federation) in Office 365. $url="https://<SecureAuth Public Hostname>/SecureAuthRealm#/"

Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number. This is the URL where web-based clients are directed to when logging into Office 365.

$uri="https://<SecureAuth Public Hostname>/SecureAuthRealm#/" Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number. This is the unique identifier of the domain in the Office 365 platform that is derived from the federation server. ### Note The uri command and the WSFed/SAML Issuer in the Classic IdP Experience Web Admin must match exactly, including the trailing forward slash "/". $logouturl="https://<SecureAuth Public Hostname>/SecureAuthRealm#/wsfedsignout.aspx"

Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /wsfedsignout.aspx.  This is the URL to which users are redirected to when logging out of Office 365. If you are using both IdP-initiated and SSO, and experience issues with logging in, then contact Support.

$metadata="https://company.initech.com/Secureauth20/webservice/wstrust.svc/mex" Defines the Identity Platform on-prem FQDN URL for the appliance (or for a cloud-only deployment this is the URL provided by SecureAuth) and Office 365 realm number, followed by /webservice/wstrust.svc/mex. This URL specifies the metadata exchange endpoint used for authentication from rich client applications. $cert="<CERT VALUE>"

Defines the certificate value of the certificate used to sign tokens passed to Office 365 platform.  Replace the <CERT VALUE> with the actual value in a single line with no breaks or space.

To export the certificate:

1. Export the SSL certificate in Base64 format.

2. Using a text editor, open the exported certificate.

3. Remove the Begin Certificate and End Certificate lines from the file.

4. Remove all returns (CR-LF) so that the certificate value is one line of text with no formatting.

command line

Copy and run these commands in a single line; this configures Office 365 with the variables set in the previous lines.

2. Enter the Domain name to the Identity Platform appliance URL or IP address.

For example, https://secureauth.company.com or https://111.222.33.44

4. Upload the file to the service provider.

12. Click Continue to Summary to review the application settings.

13. Click Back to Application Manager to find the application added to the list.