Microsoft Office 365 SAML integration
Office 365 is a cloud-based, subscription model version of Microsoft Office. Office 365 contains the same core applications as traditional versions of Office, including Word, Excel, PowerPoint, Outlook, OneNote, and, depending on the plan purchased, may also include other apps and services such as Publisher, Planner, OneDrive, Exchange, SharePoint, Access, Skype, Yammer, and Microsoft Teams.
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Arculix by SecureAuth offers an SSO-MFA solution for Office 365 that enables strong authentication and secure access to your Azure and Office 365 tenant via SAML protocol.
Watch a video about this integration with Arculix in under 5 minutes.
Prerequisites
Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
Microsoft™ Azure Active Directory tenant with custom domain configuration.
An Azure Active Directory tenant administrator account.
Arculix acts as an identity provider (IdP) for Office 365 and authenticates users against your existing on-premises Active Directory credentials.
On the other hand, Office 365 uses Azure AD as its identity store. Then, on-premises AD users should be synchronized to Azure AD through Azure AD Connect application. In addition, all the Azure AD users that will be authenticated via Arculix SAML must have an immutableID set.
To identify which users may not have an immutableID set, run the following PowerShell™ command (Make sure you have the MSOnline PowerShell module installed via “Install-Module -Name MSOnline” and connect to your Azure instance via “Connect-MsolService” command):
Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID UserPrincipalName ImmutableId ----------------- ----------- User1@example.com 123ABC45-67EF-90GH-12IJ-34KL56MN7890P User2@example.com
Make sure you have the latest WMF (Windows management framework) installed. You can check the version of your PowerShell with this command:
Get-Host | Select-Object Version
Users that do not show an ImmutableID such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users, run the following PowerShell command (replace UserPrincipalName with the affected user UserPrincipalName, e.g., User2@example.com):
$guid = New-Guid Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID $guid
Arculix SAML configuration as an Identity Provider (IdP)
In this section, you'll add an application for Office 365 and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name
Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, Office 365.
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests
Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
Issuer or Entity ID
Set to urn:federation:MicrosoftOnline.
Log in URL
Enter the URL to log in to Azure or Office 365 portals.
The options are:
https://portal.azure.com,https://portal.office.com, orhttps://login.microsoftonline.com/login.srf.Metadata URL
Enter the the Microsoft metadata URL:
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xmlNameID Format
Set to Persistent.
Name Identifier
Set to ObjectGUID.
ACS URL
Enter the Microsoft ACS URL:
https://login.microsoftonline.com/login.srf.
Click Add New Attribute Assertion button and set the following:
Friendly Name
Set to Email.
Name
Set to IDPEmail.
Value
Set to the name used for the email attribute in your user directory.
For example, email.
Name Format
Set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic.
In the Response Hosts section, add the following response hosts:
portal.azure.com
portal.office.com
login.microsoftonline.com
Save your changes.
Download your SAML IdP X509 certificate from
http://sso.acceptto.com/[organization identifier]/saml/download/certNote
Azure AD requires the certificate in string format. Before you use this certificate, open the file in a text editor and edit the certificate by removing the line breaks and the begin/end certificate directives in such a way to have it as a single line string format.
This web utility can do this automatically.
Office 365 configuration
In this section, you'll configure Office 365 as a service provider (SP).
Run PowerShell as an administrator and connect to your Azure instance with the command below. You need to login with your Azure tenant administrator account.
Note
This admin account should be in a separate domain than the one that will be federated. For example, a member of the default domain that is provided by Microsoft.
Connect-MsolService
Retrieve all domains for the company (verified or unverified) to identify the domain should be federated.
Get-MsolDomain
Run the following script in a PowerShell environment.
Note
Most of the following values come from the earlier Arculix SAML configuration as an Identity Provider (IdP) section. Update these values where necessary.
# The domain you want to authenticate against SAML(mandatory) $domain="example.com" # Identify who your IdP is $BrandName = "Arculix SAML IDP" # Logon URL (mandatory) $LogOnUrl = "https://sso.acceptto.com/[organization identifier]/saml/auth" # Logoff URL (mandatory) $LogOffUrl = "https://sso.acceptto.com/[organization identifier]/saml/logout" # The IdP Certificate. Note the use of @ to make it a raw text variable. $SigningCert = "Copy your Arculix Appliance SAML signing certificate got earlier in one single line, here" # The issuer URI. $uri = "https://sso.acceptto.com/[organization identifier]/saml" $Protocol = "SAMLP"
After defining the parameters, issue the below command . A successful run of the command should not return any errors.
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol
To verify if the domain is configured to use SAML, use the following command:
Get-MsolDomainFederationSettings -domainname example.com | fl *
The output should be similar to the following and must show the same values as used in the script variables above.
ExtensionData : System.Runtime.Serialization.ExtensionDataObject ActiveLogOnUri : DefaultInteractiveAuthenticationMethod : FederationBrandName : acceptto.com IssuerUri : https://sso.acceptto.com/org-id/saml LogOffUri : https://sso.acceptto.com/org-id/saml/logout MetadataExchangeUri : NextSigningCertificate : OpenIdConnectDiscoveryEndpoint : PassiveLogOnUri : https://sso.acceptto.com/org-id/saml/auth PasswordChangeUri : PasswordResetUri : PreferredAuthenticationProtocol : Samlp PromptLoginBehavior : SigningCertificate : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D= SigningCertificateUpdateStatus : SupportsMfa :
Test your application integration
Go to the Azure or Office 365 portals.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the Office 365 application.
Finally, you will be redirected to your Azure/Office 365 landing page.
Troubleshooting
If you may receive an error page. It might take different forms:
If you receive an "Incorect username or password, please try again" error message, then check if your username and password are correct. If after checking your credentials, it still fails to log you in, please contact our support.
If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.
If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.
Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.
Azure, PowerShell, Microsoft, and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.