Integrate office 365 with a custom SAML based Identity provider other then ADFS

3
votes

We are currently using Saml based Identity provider(Idp) that generates SAML response to allow SSO to Google apps . We are looking to allow support for Office 365 using java.

I am looking at all the documentation for Office 365 and from what I see, it uses SAML, but only if provided by an ADFS(Active Directory Federation service) or any other federation service. Is it possible to configure office 365 to use my Idp for authentication without dependency on ADFS and active directory(AD). If yes, can you give me details of how to configure the same. I have tried administering Office 365 using powershell but it fails when I try to execute this commandlet Convert-MsolDomainToFederated after connecting to the office 365 using Connect-MsolService.

I get an error :

Convert-MsolDomainToFederated : Failed to connect to Active Directory Federation Services 2.0 on the local machine.Please try running Set-MsolADFSContext before running this command again.

Has this worked for anyone. Please suggest

I have refer this msdn1 and msdn2 links.

Thanks

1
javaazuresingle-sign-onoffice365saml

1 Answers

1
votes

You need to follow the directions under "Configuring a domain in your Office 365 tenant for federation" here.

For you'll need an STS for "Active", and SAML suffices for "Passive" (unless you have the new ADAL compliant O365 thick clients - but these don't work very well with third-party vendors). If you have an STS for active, you need the MetadataExchangeUri.

You were on track with this link for Set-MsolDomainAuthentication:

Set-MsolDomainAuthentication -Authentication federated -DomainName <string> [-ActiveLogOnUri <string>] [-FederationBrandName <string>] [-IssuerUri <string>] [-LogOffUri <string>] [-MetadataExchangeUri <string>] [-PassiveLogOnUri <string>] [-SigningCertificate <string>]

As I say, you only need the "Active" if you have an STS available.

The example that they give on the first link is pretty good, and you should end up with something like this:

$dom = "contoso.com" 
$BrandName - "Sample SAML 2.0 IDP" 
$LogOnUrl = "https://saml.contoso.com/samlLogonEndpoint" 
$LogOffUrl = "https://saml.contoso.com/SamlLogOffEndpoint" 
$stsUrl = "https://saml.contoso.com/PAOS" 
$MyURI = "urn:uri:MySamlp2IDP" 
$MySigningCert = @" --- YOUR CERT HERE ---" "@ 
$entityID = "http://saml.contoso.com" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication ` -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $LogOnUrl -ActiveLogOnUri $stsUrl -SigningCertificate $MySigningCert -IssuerUri $entityID -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol