Microsoft Office 365 SAML integration

Office 365 is a cloud-based, subscription model version of Microsoft Office. Office 365 contains the same core applications as traditional versions of Office, including Word, Excel, PowerPoint, Outlook, OneNote, and, depending on the plan purchased, may also include other apps and services such as Publisher, Planner, OneDrive, Exchange, SharePoint, Access, Skype, Yammer, and Microsoft Teams.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required validation procedure that only they know or have access to.

Acceptto SSO-MFA for Office 365 enables strong authentication and secure access via SAML protocol to your Azure and Office 365 tenant.

Prerequisites

An Acceptto account with a configured Identity Provider and LDAP Agent.
For more information, see the LDAP Agent deployment guide.
A user with administrative privileges for the Acceptto services.
An organization identifier provided by Acceptto (organization slug).
A Microsoft™ Azure Active Directory tenant with custom domain configuration.
An Azure Active Directory tenant administrator account.
Acceptto acts as an identity provider (IdP) for Office 365 and authenticates users against your existing on-premises Active Directory credentials. On the other hand, Office 365 uses Azure AD as its identity store. Then, on-premises AD users should be synchronized to Azure AD through Azure AD Connect application. In addition, all the Azure AD users that will be authenticated via Acceptto SAML must have an immutableID set. To identify which users may not have an immutableID set run the following PowerShell™ command (Make sure you have the MSOnline PowerShell module installed via “Install-Module -Name MSOnline” and connect to your Azure instance via “Connect-MsolService” command):
```
Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID

UserPrincipalName                  ImmutableId
-----------------                  -----------
User1@example.com      123ABC45-67EF-90GH-12IJ-34KL56MN7890P
User2@example.com
```
Make sure you have the latest WMF (Windows management framework) installed. You can check the version of your PowerShell with this command:
```
Get-Host | Select-Object Version
```
Users that do not show an ImmutableID such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users, run the following PowerShell command (replace UserPrincipalName with the affected user UserPrincipalName, e.g., User2@example.com):
```
$guid = New-Guid
Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID $guid
```

Acceptto SAML Configuration as Identity Provider (IdP)

Login to the Acceptto Dashboard with an administrative account and go to Applications.
Create a new application by selecting the Create New Application.
In the New Application form, enter the following values under the General tab:
- Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs (e.g. Office 365)
- Type - Select "SAML Service Provider" from the options
- Out of Band Methods - Select the allowed methods for approving MFA requests
- Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)
Under the SAML Service Provider Configuration tab, enter the following values (Click on the Microsoft federation metadata url and find the required attributes).
- Issuer or Entity ID – Enter the Microsoft Issuer: "urn:federation:MicrosoftOnline"
- Sign in URL - The URL used to login to Azure or Office 365 portals. You can use https://portal.azure.com, https://portal.office.com, or https://login.microsoftonline.com/login.srf.
- Metadata URL - The Microsoft metadata URL: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
- ACS URL - Enter the Microsoft ACS URL:https://login.microsoftonline.com/login.srf
- NameID Format - Select "Persistent" from the dropdown menu
- Name Identifier - Select "ObjectGUID" from the dropdown menu
- Asserted Attributes
  - Friendly Name - Enter "Email"
  - Name - Enter "IDPEmail"
  - Value - Enter the name used for the email attribute in your user directory (e.g., "mail")
  - Name Format - Select "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" from the dropdown menu.
- Response Hosts - add “portal.azure.com”, “portal.office.com” and “login.microsoftonline.com”.
Click Save to create the Application.
Download your SAML IdP X509 certificate. Go to the following website to download the cert.pem file containing your certificate:
http://sso.acceptto.com/[organization identifier]/saml/download/cert
Note: Azure AD requires the certificate in string format. Before you use this certificate, open the file in a text editor and edit the certificate by removing the line breaks and the begin/end certificate directives in such a way to have it as a single line string format (this web utility can do this automatically).

Configure Office 365 as a Service Provider (SP)

Run PowerShell as an administrator and connect to your Azure instance with the command below. You need to login with your Azure tenant administrator account. Note: this admin account should be in a separate domain than the one that will be federated (e.g. a member of the default domain that is provided by Microsoft).
```
Connect-MsolService
```
Retrieve all domains for the company (verified or unverified) to identify the domain should be federated.
```
Get-MsolDomain
```

Run the following script in a PowerShell environment (most of the values come from the earlier section “Configure the Acceptto Identity Provider”, update these values where necessary):

# The domain you want to authenticate against SAML(mandatory)
$domain="example.com"
# Identify who your IdP is
$BrandName = "Acceptto SAML IDP"
# Logon URL (mandatory)
$LogOnUrl = "https://sso.acceptto.com/[organization identifier]/saml/auth"
# Logoff URL (mandatory)
$LogOffUrl = "https://sso.acceptto.com/[organization identifier]/saml/logout"
# The IdP Certificate. Note the use of @ to make it a raw text variable.
$SigningCert = "Copy your Acceptto Appliance SAML signing certificate got earlier in one single line, here"
# The issuer URI. 
$uri = "https://sso.acceptto.com/[organization identifier]/saml"
$Protocol = "SAMLP"

After defining the parameters, issue the below command . A successful run of the command should not return any errors.

Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol

To verify if the domain is configured to use SAML, use the following command:

Get-MsolDomainFederationSettings -domainname example.com | fl *

The output should be similar to the following and must show the same values as used in the script variables above.

ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri                         :
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    : acceptto.com
IssuerUri                              : https://sso.acceptto.com/org-id/saml
LogOffUri                              : https://sso.acceptto.com/org-id/saml/logout
MetadataExchangeUri                    :
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        : https://sso.acceptto.com/org-id/saml/auth
PasswordChangeUri                      :
PasswordResetUri                       :
PreferredAuthenticationProtocol        : Samlp
PromptLoginBehavior                    :
SigningCertificate                     : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D=
SigningCertificateUpdateStatus         :
SupportsMfa                            :

Test your application integration

Go to the Azure or Office 365 portals. You will be redirected to the Acceptto SAML page.
After successful authentication, you’ll see the Acceptto’s authenticator options. Select the desired method and approve the verification stage.
Finally, you will be redirected to your Azure/Office 365 landing page.

Troubleshooting

If you may receive an error page. It might take different forms:

If you receive an Acceptto branded web page such as below, then check if your username and password are correct. If after checking your credentials, it still fails to log you in, please contact our support.
If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Acceptto IdP. Correct any discrepancies and rerun the script.
If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Acceptto IdP. Correct any discrepancies and rerun the script.
```
Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”
```

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Azure, PowerShell, Microsoft, and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.

In this section: