Powered by Algolia

    Office365 SSO

    The section below describes how to configure Single Sign-on (SSO) to Office365 with OpenIAM as the Identity Provider(IdP).

    Add o365 as an Authentication Provider to OpenIAM

    First, the user needs to have domain that is added to Office365 account. To do that, one needs to create OpenIAM authentication provider:

    Authentication provider

    From the screenshot below we would need a signing key that we will upload later to Office365.

    Signing key

    Additional information could be taken here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

    Link to official Microsoft metadata: https://nexus.microsoftonlinep.com/federationmetadata/saml20/federationmetadata.xml

    This metadata contains certificate (highlighted below) that we need to copy, save as certificate file and import it into OpenIAM.

    Add OpenIAM as an IdP to your o365 Tenant

    After OpenIAM side is configured - one needs to configure the Office365 side.

    Assuming to have signature downloaded from OpenIAM to "YOUR_PATH\signature.cer", run the script below. Note that own IssuerUri should be used (could be found on OpenIAM metadata page - as shown on the screenshot below the script) and replace domain names:

    $credentials = New-Object -Typename System.Management.Automation.PSCredential `
    -Argumentlist @('your_admin_account', (ConvertTo-SecureString -String '*****' -AsPlainText -Force))
    Connect-MsolService -Credential $credentials
    [string]$cer = Get-Content "YOUR_PATH\signature.cer"
    Set-MsolDomainAuthentication -Debug -DomainName openiamdemo.com -Authentication Federated -ActiveLogOnUri https://demo.openiamdemo.com/idp/saml2/idp/login -SigningCertificate $cer -PassiveLogOnUri https://demo.openiamdemo.com/idp/saml2/idp/login -IssuerUri https://demo.openiamdemo.com/idp/saml2/idp/login/8a8086e467c60f7f0167e067e4d5029f
    -LogOffUri https://demo.openiamdemo.com/idp/saml2/idp/logout -PreferredAuthenticationProtocol Samlp

    Identity provider

    Code

    Important - addresses that are used should be HTTPS only.

    $credentials = New-Object -Typename System.Management.Automation.PSCredential `
    -Argumentlist @('your_admin_account, (ConvertTo-SecureString -String '*****' -AsPlainText -Force))
    Connect-MsolService -Credential $credentials
    Set-MsolDomainAuthentication -Debug -DomainName openiamdemo.com -Authentication Managed

    Granting SSO for User

    1. Go to OpenIAM resources page.

    Access to user

    1. Find a page with SSO resource

    Resource name

    1. Click edit

    edit

    1. Add a user as required

    Add user

    Access granted.

    Previous
    GSuite SSO
    Next
    Salesforce.com