Microsoft Office 365 SAML integration

Office 365 is a cloud-based, subscription model version of Microsoft Office. Office 365 contains the same core applications as traditional versions of Office, including Word, Excel, PowerPoint, Outlook, OneNote, and, depending on the plan purchased, may also include other apps and services such as Publisher, Planner, OneDrive, Exchange, SharePoint, Access, Skype, Yammer, and Microsoft Teams.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Arculix by SecureAuth offers an SSO-MFA solution for Office 365 that enables strong authentication and secure access to your Azure and Office 365 tenant via SAML protocol.

Prerequisites

• Arculix account with a configured Identity Provider and LDAP Agent.

• User account with administrative privileges for Arculix.

• An organization identifier provided by Arculix (organization slug).

• A Microsoft™ Azure Active Directory tenant with custom domain configuration.

• An Azure Active Directory tenant administrator account.

• Arculix acts as an identity provider (IdP) for Office 365 and authenticates users against your existing on-premises Active Directory credentials. On the other hand, Office 365 uses Azure AD as its identity store. Then, on-premises AD users should be synchronized to Azure AD through Azure AD Connect application. In addition, all the Azure AD users that will be authenticated via Arculix SAML must have an immutableID set. To identify which users may not have an immutableID set, run the following PowerShell™ command (Make sure you have the MSOnline PowerShell module installed via “Install-Module -Name MSOnline” and connect to your Azure instance via “Connect-MsolService” command):

Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID

UserPrincipalName                  ImmutableId
-----------------                  -----------
User1@example.com      123ABC45-67EF-90GH-12IJ-34KL56MN7890P
User2@example.com

• Make sure you have the latest WMF (Windows management framework) installed. You can check the version of your PowerShell with this command:

Get-Host | Select-Object Version

• Users that do not show an ImmutableID such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users, run the following PowerShell command (replace UserPrincipalName with the affected user UserPrincipalName, e.g., User2@example.com):

$guid = New-Guid Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID$guid


Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Office 365 and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

2. Click Create New Application.

3. In the New Application form, on the General tab, set the following configurations:

 Name Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.For example, Office 365. Type Set to SAML Service Provider. Out of Band Methods Select the allowed methods end users can choose to approve MFA requests.For example, Arculix Mobile app (push notifications), SMS, or Security Key. Message for MFA Requests (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
4. Select the SAML Service Provider Configuration tab, and set the following configurations:

 Issuer or Entity ID Set to urn:federation:MicrosoftOnline. Log in URL Enter the URL to log in to Azure or Office 365 portals.The options are: https://portal.azure.com, https://portal.office.com, or https://login.microsoftonline.com/login.srf. Metadata URL Enter the the Microsoft metadata URL: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml NameID Format Set to Persistent. Name Identifier Set to ObjectGUID. ACS URL Enter the Microsoft ACS URL: https://login.microsoftonline.com/login.srf.
5. Click Add New Attribute Assertion button and set the following:

 Friendly Name Set to Email. Name Set to IDPEmail. Value Set to the name used for the email attribute in your user directory.For example, email. Name Format Set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic.
6. In the Response Hosts section, add the following response hosts:

• portal.azure.com

• portal.office.com

8. Download your SAML IdP X509 certificate from http://sso.arculix.com/[organization identifier]/saml/download/cert

Note

Azure AD requires the certificate in string format. Before you use this certificate, open the file in a text editor and edit the certificate by removing the line breaks and the begin/end certificate directives in such a way to have it as a single line string format.

This web utility can do this automatically.

Office 365 configuration

In this section, you'll configure Office 365 as a service provider (SP).

Note

This admin account should be in a separate domain than the one that will be federated. For example, a member of the default domain that is provided by Microsoft.

Connect-MsolService

2. Retrieve all domains for the company (verified or unverified) to identify the domain should be federated.

Get-MsolDomain

3. Run the following script in a PowerShell environment.

Note

Most of the following values come from the earlier Arculix SAML configuration as an Identity Provider (IdP) section. Update these values where necessary.

# The domain you want to authenticate against SAML(mandatory)
$domain="example.com" # Identify who your IdP is$BrandName = "Arculix SAML IDP"
# Logon URL (mandatory)
$LogOnUrl = "https://sso.arculix.com/[organization identifier]/saml/auth" # Logoff URL (mandatory)$LogOffUrl = "https://sso.arculix.com/[organization identifier]/saml/logout"
# The IdP Certificate. Note the use of @ to make it a raw text variable.
$SigningCert = "Copy your Arculix Appliance SAML signing certificate got earlier in one single line, here" # The issuer URI.$uri = "https://sso.arculix.com/[organization identifier]/saml"
$Protocol = "SAMLP"  4. After defining the parameters, issue the below command . A successful run of the command should not return any errors. Set-MsolDomainAuthentication -DomainName$domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri$LogOnUrl -SigningCertificate $SigningCert -IssuerUri$uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol$Protocol


To verify if the domain is configured to use SAML, use the following command:

Get-MsolDomainFederationSettings -domainname example.com | fl *


The output should be similar to the following and must show the same values as used in the script variables above.

ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri                         :
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    : arculix.com
IssuerUri                              : https://sso.arculix.com/org-id/saml
LogOffUri                              : https://sso.arculix.com/org-id/saml/logout
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        : https://sso.arculix.com/org-id/saml/auth
PreferredAuthenticationProtocol        : Samlp
SigningCertificate                     : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D=
SupportsMfa                            :


1. Go to the Azure or Office 365 portals.

2. You will be redirected to the Arculix SSO page.

3. After successful authentication, select your preferred MFA method to approve access to the Office 365 application.

4. Finally, you will be redirected to your Azure/Office 365 landing page.

Troubleshooting

If you may receive an error page. It might take different forms:

• If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.

• If you receive an Azure branded error web page such as below, check that the script you run exactly matches the values you obtained from the Arculix IdP. Correct any discrepancies and rerun the script.

Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”


Support

If you have questions or need assistance, contact SecureAuth Support.