Office 365 SAML

Introduction

This document explains how to configure and manage Office 365 SAML integration with the PureAUTH Identity Platform and make Office 365 authentication Passwordless.

The Document includes the following steps:

  • Add a domain to your Office 365 account.
  • Add Office 365 application on the PureAUTH platform.
  • Configure SAML ( Security Assertion Markup Language ).
  • Users
  • Immutable ID

Add domain to Office 365 account 

To get started, we need to add a domain to your Office 365 account. Follow this document to add a domain.

Add Office365 SAML application on PureAUTH

Once we add a domain, we will add an Office 365 application to our PureAUTH Identity Platform. 

  • Enter Any application Name.
  • Select Primary (Corporate Email) in the Dataset for email field.
  • Click “Add”

Configure SAML Integration with Office 365 (Through Script)

To configure SAML integration, please download the pureauth-O365 script using the below link.

pureauth-O365 : https://drive.google.com/file/d/1FQcVQtmY6VXBQC5orv1sgb0mprifXnNg/view?usp=sharing

  • Make a folder called “PureauthO365” in C:\ drive and paste the pureauth-o365.ps1 script into it.
  • Open “PowerShell with Administrator privileges” and cd into pureauthO365 folder.
  • Command : Powershell -ep bypass
  • Command : Import-Module .\pureauth-0365.ps1
  • Command : Connect-PureAUTHOffice365
  • Log in to your onmicrosoft administrator account.
  • Login to your office365 admin portal.
  • Go to Admin > Settings > Domains
  • Make your <domain>.onmicrosoft.com as Default.

  • Command : Update-PureAUTHOffice365UserConfiguration
  • Command : Set-PureAUTHOffice365Authentication
    • Domain : your_domain.com
    • issueruri : Copy it from pureauth and paste here.
    • Loginurl : Copy it from pureauth and paste here.
    • Logouturl : Copy it from pureauth and paste here.
    • For certificatepath,
      • Copy X.509 certificate from pureauth.
      • Copy from —–BEGIN CERTIFICATE—— To ——END CERTIFICATE—–
      • Paste into the new notepad file and save as cert.pem.
    • Certificatepath : Provide certificate Path.
  • Click “Enter”

Add user to Office 365

Command : Add-PureAUTHOffice365Users

Configure SAML Integration with Office 365 (Manual Process)

  • To configure SAML integration, we will require a Windows machine.
  • Open PowerShell with Run as administrator.Install the MSOnline module, you can install it by below command: 
Install-Module MSOnline
  • So now, we need to connect to our Office 365 account using the following command.
Connect-MsolService
  •  It will ask for Login, use your domain.onmicrosoft.com admin email to login.
  • Configure your desired Office domain to use federation using SAML 2.0 by executing following commands:
$domain=”yourdomain.com”

$issuer=”Issuer URL provided by PureAUTH”

$loginurl=”Login URL provided by PureAUTH”

$logouturl=”Logout URL provided by PureAUTH”

$certificate=”X509 Certificate provided by PureAUTH"

NOTE: Remove whitespaces from the certificate. You can refer here to do so.

Add whitespace between BEGINCERTIFICATE and ENDCERTIFICATE

Set-MsolDomainAuthentication –DomainName $domain -Authentication Federated -PassiveLogOnUri $loginurl -IssuerUri $issuer -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certificate

You can find the URL provided by PureAUTH in your PureAUTH dashboard.

  • Verify configuration: 
Get-MsolDomainFederationSettings -domain yourdomain.com

Add user to Office 365

As we configured our domain as federated we can’t add users from the Office admin dashboard. In this section, we will see how to add users to the federated office 365 domain.

  • Follow the below steps to add users:
    1. Open Powershell and Connect to Office 365 tenant administrator.
    2. Use the following command to add a user:
    3. New-MsolUser -UserPrincipalName john@yourdomain.com -ImmutableId john@yourdomain.com -DisplayName "John Doe" -FirstName John -LastName Doe
    4. Make sure to replace highlighted values to add users and UserPrincipal and ImmutableID need to be the same.

Update ImmutableID for Existing Users

If you add users to your domain before making domain federated, we need to set ImmutableId’s for existing users.

Check ImmutableId:

Execute the following command to check the user’s ImmutableId:

Get-MsolUser -UserPrincipalName "john@yourdomain.com" | select ImmutableId

Update ImmutableId:

Execute the following command to update the user’s ImmutableId:

Set-MsolUser -UserPrincipalName "john@yourdomain.com" -ImmutableId "john@yourdomain.com"

Verify SAML Authentication

  1. Visit the Office 365 login page.
  2. Enter your email address and it will redirect you to the PureAUTH authentication page.
  3. Open the VR5 app and scan the QR code using Swift Login.

DISABLE FEDERATED AUTHENTICATION

  1. Open Powershell
  2. Connect-MsolService
  3. Enter your Onmicrosoft Admin credentials
  4. Enter command:
Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomain.com
Was this article helpful to you? Yes No