Office 365

image0

Presentation

Office 365 provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on https://login.microsoftonline.com/ and can be forwarded to an SAML Identity Provider.

Configuration

Office 365

You first need to install AzureAD PowerShell to be able to run administrative commands.

Then run this script:

$dom = "mycompany.com"
$brand = "My Company"
$url = "https://auth.example.com/saml/singleSignOn"
$uri = "https://auth.example.com/saml/metadata"
$logouturl = "https://auth.example.com/?logout=1"
$cert = "xxxxxxxxxxxxxxxxxxx"

Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $brand -Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri  -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP

Where parameters are:

  • dom: Your Office 365 domain

  • brand: Simple label

  • url: The SAML SSO endpoint

  • uri: The SAML metadata endpoint

  • logouturl: Logout URL

  • cert: The SAML certificate containing the signature public key

If you have several Office365 domains, you can’t use the same URLs for each domains. To be able to have a single SAML IDP for several domains, you must add the ‘domain’ GET parameters at the end of SSO endpoint and metadata URLs, for example:

LemonLDAP::NG

Create a new SAML Service Provider and import Microsoft metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

Set the NameID value to persistent format.

You must use the base64 value of mS-DS-ConsistencyGuid attribute. (also known as immutableID)

Note that - in variable names may lead to problems. You shoud declare a LDAP mapping immutableid <-> mS-DS-ConsistencyGuid, and then declare a macro : $immutableb64 = encode_base64( “$immutableid”, “” )

Create a SAML attribute named IDPEmail which contains the user principal name (UPN).