Documentation
Introduction

Use this guide to enable 2-Factor Authentication for external user access and desktop Single Sign-on (SSO) for internal user access via WS-Federation and WS-Trust to Microsoft Office 365 web and thick applications.

Prerequisites
SecureAuth IdP Prerequisites

1. Create two (2) new realms for the Office 365 integration (Realm 1 and Realm 2)

2. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access this page (if any) must be defined

Office 365 Prerequisites

1. Have an Office 365 account

2. Activate Office 365 Account and Tenant – Welcome to the new Office, Office 365 Developer Site, and Office 365 Readiness Wizard

3. Register a valid domain with Office 365

 Add a domain to Office 365

1. Log into Office 365 account with the .onmicrosoft.com admin account

2. Click Management, then Domains

3. Click Add a domain

4. Enter the Domain and click Next

5. Verify the Domain per instructions for the domain registrar

6. Select the appropriate services

7. Configure the DNS records on the domain registrar for other services

Click here for more information

Leave the .onmicrosoft.com domain as the primary domain for the account as making the new domain the default causes errors when using the Set-MsolDomainAuthentication command (PowerShell Configuration)

4. Have a Microsoft Active Directory Domain Controller with the same domain suffix as that registered with Office 365

 Add UPN suffixes to a forest

A. Open Active Directory Domains and Trusts

B. Right-click Active Directory Domains and Trusts in the Tree window pane, then click Properties

C. On the UPN Suffixes tab, type the new UPN suffix you would like to add to the forest

D. Click Add, and then click OK

5. Have Windows Identity Foundation (WIF) installed on the SecureAuth IdP appliance(s)

6. Have a domain-joined Windows Server for Directory Synchronization

7. Have a Windows Workstation or Server for Microsoft Online Services Module for Windows PowerShell

This is not required to be domain-joined

8. Have a publicly trusted SSL / signing certificate

A third-party certificate is required if using thick clients (Outlook, Lync, etc.)

SecureAuth IdP Configuration Steps

Follow these configuration steps for Realm 1

Data

 

1. In the Profile Fields section, map the userPrincipalName to a SecureAuth IdP Property (e.g. Aux ID 8)

2. Map the objectGUID to a SecureAuth IdP Property (e.g. Aux ID 9)

The objectGUID must be mapped to Aux ID 9 or Aux ID 10

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Workflow

 

3. In the SAML 2.0 Service Provider section, set the SP Start URL to https://login.microsoftonline.com/login.srf to enable SSO and to redirect users appropriately to access Office 365

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication

 

4. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication section

5. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx)

6. A customized post authentication page can be uploaded, but it is not required

User ID Mapping

 

7. Select the SecureAuth IdP Property that corresponds to the directory field that contains the objectGUID (Aux ID 9)

8. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

Select a different option if Office 365 requires it, which the Service Provider (SP) will provide

9. Select True from the Encode to Base64 dropdown

SAML Assertion / WS Federation

 

10. Set the WSFed Reply To/SAML Target URL to https://login.microsoftonline.com/login.srf

11. Set the WSFed/SAML Issuer to https://SecureAuthIdPFQDN/SecureAuthIdPRealm1/ and replace the values with the actual Fully Qualified Domain Name (FQDN) and the number of Realm 1, e.g. SecureAuth1

The  WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the Office 365 side

12. Set the SAML Audience to urn:federation:MicrosoftOnline (case sensitive)

13. Set the SAML Offset Minutes to make up for time differences between devices

14. Set the SAML Valid Hours to limit for how long the WS-Federation assertion is valid

15. Select True from the Sign SAML Assertion dropdown

16. Select False from the Sign SAML Message dropdown

No configuration is required for the SAML Consumer URL or the SAML Recipient fields

 

17. Click Select Certificate to select the appropriate publicly trusted SSL / signing certificate

18. Provide the Domain in order to Download the Metadata File to send to Office 365 (if required)

SAML Attributes / WS Federation

 

19. Add IDPEmail as a WS-Federation Attribute in the Name field (Attribute 1)

20. Set the Namespace to http://schemas.xmlsoap.org/claims/UPN

21. Select Aux ID 8 (or the field that contains the userPrincipalName) from the Value dropdown

22. Add ImmutableID in the Name field (Attribute 2)

23. Set the Namespace to http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

24. Select Base64 Encoded from the Format dropdown

25. Select Aux ID 9 (or the field that contains the objectGUID) from the Value dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

WS-Trust Endpoint Configuration

 

26. Click View and Configure WS-Trust endpoints

WS-Trust Host Name

 

27. Provide the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance in the Host Name field

WS-Trust Endpoint Configuration

 

28. Check to enable the /2005/usernamemixed and the /2005/windowstransport Endpoint Paths

Click Save once the configurations have been completed and before leaving the WS-Trust Endpoints page to avoid losing changes

Forms Auth / SSO Token

 

29. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for SSO

These are optional configurations

 To configure this realm's token/cookie settings, follow these steps:
Forms Authentication


1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

  • UseCookies enables SecureAuth IdP to always deliver a cookie
  • UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
  • AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
  • UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key

5. No changes are required in the Validation field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

6. No changes are required in the Decryption field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fields

Authentication Cookies

 

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration

To configure this realm for Windows Desktop SSO, refer to Windows Desktop SSO Configuration Guide

Follow these configuration steps for Realm 2

 

30. Create a New Realm from Existing and select the SecureAuth IdP realm number that corresponds to Realm 1 in this guide

This will duplicate Realm 1 to create Realm 2

Realm 2 should be identical to Realm 1, with these configuration steps added

Workflow

 

31. In the Workflow section, select Public Mode Only from the Public/Private Mode dropdown

32. Select UserName Only from the Authentication Mode dropdown

33. Select True from the User Impersonation dropdown

34. Select True from the Windows Authentication dropdown

Custom Front End

 

35. Select Token from the Receive Token dropdown

36. Select True from the Require Begin Site dropdown

37. Select Windows SSO from the Begin Site dropdown

38. WindowsSSO.aspx will auto-populate the Begin Site URL field

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Office 365 Configuration Steps

This is to be used as a general configuration guide, but may not fit every Office 365 environment

SecureAuth is not responsible for configuring the Office 365 application; however, these steps are included to assist customers in preparing their Office 365 environment for the SecureAuth IdP integration

Windows Azure AD for SSO

Office 365 utilizes Microsoft Windows Azure AD in the cloud to store user identities and can be used as a directory store for MS CRM Online, Windows Intune, and Windows Azure.

Follow Microsoft's Single Sign-on Roadmap to configure Office 365 for SSO

Read Prepare for Single Sign-on to learn the benefits of SSO and what end-users will experience when they connect from different locations

Be sure that the environment meets the requirements to enable SSO and verify that the Active Directory is compatible with the SSO requirements

1. Prepare Active Directory by running the Microsoft Office 365 for Enterprises Deployment Readiness Tool

2. Set up and manage Active Directory Synchronization

Follow Configure Filtering for Directory Synchronization to limit the synchronization to a specific organizational unit

3. Install the Microsoft Online Services Sign-in Assistant for IT Professionals

2003-2008 or 2012 only

Windows PowerShell
Install Microsoft Online Services Module for Windows PowerShell

1. Refer to Install Windows PowerShell for Single Sign-on with ADFS

Modules: 64-bit or 32-bit

2. Start Microsoft Online Services Module for Windows PowerShell

Configure Office 365 Domain Federation via PowerShell

Run these commands exactly in the order provided, and replace the "DomainName" placeholder with the SecureAuth IdP Domain Name, the "SecureAuthIdPFQDN" placeholders with the actual SecureAuth IdP Hostname, and the "SecureAuthIdPRealm1" and "SecureAuthIdPRealm2" placeholders with the actual SecureAuth IdP realm being used (SecureAuth1, SecureAuth2)

Place quotation marks around the links used, e.g. if the command requires $dom="DomainName", then enter the domain name in quotes ($dom="secureauthdev.com")

 

Follow the table below to enter the PowerShell commands

The DomainName, SecureAuthIdPFQDN, SecureAuthIdPRealm1, and SecureAuthRealm2 placeholders need to be changed and are unique to every configuration

The SecureAuthIdPRealm1 and SecureAuthRealm2 placeholders will be replaced with Realm 1 and Realm 2 numbers

1

Connect-MsolService

Function: The Connect-MsolService cmdlet initiates a connection to the online service

2

$dom="DomainName"

Function: The domain name registered with Office 365 (see Prerequisites)

3

$ura="https://SecureAuthIdPFQDN/SecureAuthIdPRealm2/webservice/wstrust.svc/2005/usernamemixed"

Function: The variable containing the SecureAuth IdP FQDN and Office 365 Realm 2, followed by /webservice/wstrust.svc/2005/usernamemixed

This URL specifies the endpoint used by active clients when authenticating with domains set up for SSO (identity federation) in Office 365

Example: "https://secureauth.secureauthdemo.com/secureauth2/webservice/wstrust.svc/2005/usernamemixed"

SecureAuthIdPFQDN and SecureAuthIdPRealm2 are unique for every appliance

4 $url="https://SecureAuthIdPFQDN/SecureAuthIdPRealm1/"

Function: The variable containing the SecureAuth IdP FQDN and Office 365 Realm 1

This URL is to where web-based clients are directed when signing into Office 365

Example: "https://secureauth.secureauthdemo.com/secureauth1/"

5

$uri="https://SecureAuthIdPFQDN/SecureAuthIdPRealm1/"

Function: The variable containing the SecureAuth IdP FQDN and Office 365 Realm 1

This is the unique identifier of the domain in the Office 365 platform that is derived from the federation server

Example: "https://secureauth.secureauthdemo.com/secureauth1/"

The uri command and the WSFed/SAML Issuer in the SecureAuth IdP Web Admin must match exactly, including the trailing forward slash "/"

6

$logouturl="https://SecureAuthIdPFQDN/SecureAuthIdPRealm1/wsfedsignout.aspx"

Function: The variable containing the SecureAuth IdP FQDN and Office 365 Realm 1, followed by /wsfedsignout.aspx

This is the URL to where users are redirected to sign out of Office 365

If using both IdP-initiated and SSO and experience issues logging in, contact Support

Example: "https://secureauth.secureauthdemo.com/secureauth1/wsfedsignout.aspx"

7 $metadata="https://SecureAuthIdPFQDN/SecureAuthIdPRealm2/webservice/wstrust.svc/mex"

Function: The variable containing the SecureAuth IdP FQDN and Office 365 Realm 2, followed by the metadata location /webservice/wstrust.svc/mex

This URL specifies the metadata exchange endpoint used for authentication from rich client applications, such as Lync Online

Example: "https://secureauth.secureauthdemo.com/secureauth2/webservice/wstrust.svc/mex"

8

$cert="<CERT VALUE>"

Function: The variable containing the Certificate Value of the certificate used to sign tokens passed to the Office 365 identity platform

Replace <CERT VALUE> with the actual value

Export the certificate used in the SecureAuth IdP Web Admin for signing the WS-Federation Assertion

1. Export the SSL certificate in Base64 format

2. Open the exported certificate in a text editor (Windows Notepad or Notepad++)

3. Remove the Begin Certificate and End Certificate lines from the file

4. Remove all returns (CR-LF) so that the certificate value is one line of text with no formatting

9

Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -ActiveLogonUri $ura -MetadataExchangeUri $metadata -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol WsFed

Function: This command configures Office 365 with the variables set in previous lines (above)

Verify that the Office 365 account is configured properly by entering the following into Azure PowerShell: Get-MsolDomainFederationSettings -DomainName <DomainName> and replace "<DomainName>" with the actual domain name, e.g. Get-MsolDomainFederationSettings -DomainName secureauthdev.com

From there, review all of the information and confirm that the configuration is correct

If an error has been made, run this command to modify any variable that has been set incorrectly: Set-MsolDomainFederationSettings

For example, changing the $ura variable and then running the Set-MsolDomainFederationSettings -ActiveLogOnUri $ura changes the ActiveLogOnUri value to the new $ura variable

PowerShell Issues and Federation Settings

  • If the Set-MsolDomainAuthentication command is not working in PowerShell, run PowerShell without the DomainName $dom and Authentication Federated variables; and from there, PowerShell prompts for the domain name and Federated domain
  • Verify the Federation settings on the domain by running the command Get-MsolDomainFederationSettings -DomainName <DomainName>
  • A certificate issued from a trusted source may be required; and if adding a certificate from a trusted source, use the certificate console to modify the permissions on the new certificate and add Network Service read permissions to the Private Key
Troubleshooting
Resolving Authentication Issues Using Firefox

If there are issues with the authentication after being passed through SecureAuth IdP, use Firefox with SAML Tracer to view the POST to Office 365. Within the POST, identify the UPN, ImmutableID, and NameID in the Parameters tab. Use the Microsoft Online PowerShell to login and check those values against the user by running Get-MsolUser -UserPrincipalName user@company.com | fl *

Update Federated Domain Properties after Federation

If the Federated Domain Properties (LogOutUri, MetadataExchangeUri, etc.) need updating, update each of these using the Set-MsolDomainFederationSettings (MSDN Technet Details). Additionally, verify the current Federated Domain settings by using the Get-MsolDomainFederationSettings.

Resolved Issues: Windows Identity Foundation not found error message