Beruflich Dokumente
Kultur Dokumente
Introduction
Use this guide to enable 2-Factor Authentication for external user access and desktop Single Sign-on (SSO) for internal user
access via WS-Federation and WS-Trust to Microsoft Office 365 web and thick applications.
Prerequisites
2. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:
Overview the description of the realm and SMTP connections must be defined
Data an enterprise directory must be integrated with SecureAuth IdP
Workflow the way in which users will access this application must be defined
Registration Methods the 2-Factor Authentication methods that will be used to access this page (if any)
must be defined
2. Activate Office 365 Account and Tenant Welcome to the new Office, Office 365 Developer Site, and Office
365 Readiness Wizard
7. Configure the DNS records on the domain registrar for other services
Leave the .onmicrosoft.com domain as the primary domain for the account as making the new
domain the default causes errors when using the Set-MsolDomainAuthentication command
(PowerShell Configuration)
4. Have a Microsoft Active Directory Domain Controller with the same domain suffix as that registered with Office 365
How To: Add UPN Suffixes to a Forest
5. Have Windows Identity Foundation (WIF) installed on the SecureAuth IdP appliance(s)
7. Have a Windows Workstation or Server for Microsoft Online Services Module for Windows PowerShell
Data
1. In the Profile Fields section, map the userPrincipalName to a SecureAuth IdP Property (e.g. Aux ID 8)
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Workflow
3. In the SAML 2.0 Service Provider section, set the SP Start URL to https://login.microsoftonline.com/login.srf t
o enable SSO and to redirect users appropriately to access Office 365
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
Post Authentication
4. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication s
ection
5. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and
realm number in the address bar (Authorized/WSFedProvider.aspx)
User ID Mapping
7. Select the SecureAuth IdP Property that corresponds to the directory field that contains the objectG
UID (Aux ID 9)
Select a different option if Office 365 requires it, which the Service Provider (SP) will provide
The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the Office 365
side
13. Set the SAML Offset Minutes to make up for time differences between devices
14. Set the SAML Valid Hours to limit for how long the WS-Federation assertion is valid
No configuration is required for the SAML Consumer URL or the SAML Recipient fields
17. Click Select Certificate to select the appropriate publicly trusted SSL / signing certificate
18. Provide the Domain in order to Download the Metadata File to send to Office 365 (if required)
21. Select Aux ID 8 (or the field that contains the userPrincipalName) from the Value dropdown
25. Select Aux ID 9 (or the field that contains the objectGUID) from the Value dropdown
Click Save once the configurations have been completed and before leaving the Post Authentication page
to avoid losing changes
WS-Trust Endpoint Configuration
27. Provide the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance
in the Host Name field
Click Save once the configurations have been completed and before leaving the WS-Trust
Endpoints page to avoid losing changes
29. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings
and to configure this realm for SSO
1. If SSL is required to view the token, select True from the Require SSL dropdown
2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's
browser or device:
3. Set the Sliding Expiration to True if the cookie remains valid as long as the user
is interacting with the page
4. Set the Timeout length to determine for how many minutes a cookie is valid
Machine Key
5. No changes are required in the Validati
on field, unless the default value does not
match the company's requirement
Authentication Cookies
7. Enable the cookie to be Persistent by selecting True - Expires after Timeout fro
m the dropdown
Click Save once the configurations have been completed and before leaving the Forms
Auth / SSO Token page to avoid losing changes
To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration
To configure this realm for Windows Desktop SSO, refer to Windows Desktop SSO
Configuration Guide
30. Create a New Realm from Existing and select the SecureAuth IdP realm number that corresponds to Realm 1 in this guide
Workflow
31. In the Workflow section, select Public Mode Only from the Public/Private Mode dropdown
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
This is to be used as a general configuration guide, but may not fit every Office 365 environment
SecureAuth is not responsible for configuring the Office 365 application; however, these steps are included to assist
customers in preparing their Office 365 environment for the SecureAuth IdP integration
Windows Azure AD for SSO
Office 365 utilizes Microsoft Windows Azure AD in the cloud to store user identities and can be used as a directory
store for MS CRM Online, Windows Intune, and Windows Azure.
Follow Microsoft's Single Sign-on Roadmap to configure Office 365 for SSO
Read Prepare for Single Sign-on to learn the benefits of SSO and what end-users will experience when
they connect from different locations
Be sure that the environment meets the requirements to enable SSO and verify that the Active Directory is
compatible with the SSO requirements
1. Prepare Active Directory by running the Microsoft Office 365 for Enterprises Deployment Readiness Tool
Follow Configure Filtering for Directory Synchronization to limit the synchronization to a specific
organizational unit
Windows PowerShell
Run these commands exactly in the order provided, and replace the "DomainName"
placeholder with the SecureAuth IdP Domain Name, the "SecureAuthIdPFQDN" placeholders
with the actual SecureAuth IdP Hostname, and the "SecureAuthIdPRealm1" and
"SecureAuthIdPRealm2" placeholders with the actual SecureAuth IdP realm being used
(SecureAuth1, SecureAuth2)
Place quotation marks around the links used, e.g. if the command requires $dom="DomainN
ame", then enter the domain name in quotes ($dom="secureauthdev.com")
The SecureAuthIdPRealm1 and SecureAuthRealm2 placeholders will be replaced with Realm 1 and
Realm 2 numbers
1 Connect-MsolService
Function: The Connect-MsolService
cmdlet initiates a connection to the
online service
2 $dom="DomainName"
Function: The domain name
registered with Office 365 (see Prereq
uisites)
3 $ura="https://SecureAuthIdPFQDN/
SecureAuthIdPRealm2/webservice/
wstrust.svc/2005/usernamemixed"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 2, followed by /webservice/ws
trust.svc/2005/usernamemixed
This URL specifies the endpoint used
by active clients when authenticating
with domains set up for SSO (identity
federation) in Office 365
Example: "https://secureauth.securea
uthdemo.com/secureauth2/webservice
/wstrust.svc/2005/usernamemixed"
SecureAuthIdPFQDN and Se
cureAuthIdPRealm2 are
unique for every appliance
4 $url="https://SecureAuthIdPFQDN/S
ecureAuthIdPRealm1/"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1
This URL is to where web-based
clients are directed when signing into
Office 365
Example: "https://secureauth.securea
uthdemo.com/secureauth1/"
5 $uri="https://SecureAuthIdPFQDN/S
ecureAuthIdPRealm1/"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1
This is the unique identifier of the
domain in the Office 365 platform that
is derived from the federation server
Example: "https://secureauth.securea
uthdemo.com/secureauth1/"
6 $logouturl="https://SecureAuthIdPF
QDN/SecureAuthIdPRealm1/wsfedsi
gnout.aspx"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 1, followed by /wsfedsignout.
aspx
This is the URL to where users are
redirected to sign out of Office 365
Example: "https://secureauth.securea
uthdemo.com/secureauth1/wsfedsigno
ut.aspx"
7 $metadata="https://SecureAuthIdPF
QDN/SecureAuthIdPRealm2/webser
vice/wstrust.svc/mex"
Function: The variable containing the
SecureAuth IdP FQDN and Office 365
Realm 2, followed by the metadata
location /webservice/wstrust.svc/me
x
This URL specifies the metadata
exchange endpoint used for
authentication from rich client
applications, such as Lync Online
Example: "https://secureauth.securea
uthdemo.com/secureauth2/webservice
/wstrust.svc/mex"
8 $cert="<CERT VALUE>"
Function: The variable containing the
Certificate Value of the certificate
used to sign tokens passed to the
Office 365 identity platform
Replace <CERT VALUE> with the
actual value
Verify that the Office 365 account is configured properly by entering the following into Azure PowerShell: Get-MsolDo
mainFederationSettings -DomainName <DomainName> and replace "<DomainName>" with the actual domain
name, e.g. Get-MsolDomainFederationSettings -DomainName secureauthdev.com
From there, review all of the information and confirm that the configuration is correct
If an error has been made, run this command to modify any variable that has been set incorrectly: Set-Msol
DomainFederationSettings
For example, changing the $ura variable and then running the Set-MsolDomainFederationSettings
-ActiveLogOnUri $ura changes the ActiveLogOnUri value to the new $ura variable
Troubleshooting
Related Docs
WS-Trust Request Blocking