Office365 SSO

The section below describes how to configure Single Sign-on (SSO) to Office365 with OpenIAM as the Identity Provider(IdP).

Add o365 as an Authentication Provider to OpenIAM

First, the user needs to have domain that is added to Office365 account. To do that, one needs to create OpenIAM authentication provider:

Authentication provider

From the screenshot below we would need a signing key that we will upload later to Office365.

Signing key

Additional information could be taken here:

Link to official Microsoft metadata:

This metadata contains certificate (highlighted below) that we need to copy, save as certificate file and import it into OpenIAM.

Add OpenIAM as an IdP to your o365 Tenant

After OpenIAM side is configured - one needs to configure the Office365 side.

Assuming to have signature downloaded from OpenIAM to "YOUR_PATH\signature.cer", run the script below. Note that own IssuerUri should be used (could be found on OpenIAM metadata page - as shown on the screenshot below the script) and replace domain names:

$credentials = New-Object -Typename System.Management.Automation.PSCredential `
-Argumentlist @('your_admin_account', (ConvertTo-SecureString -String '*****' -AsPlainText -Force))
Connect-MsolService -Credential $credentials
[string]$cer = Get-Content "YOUR_PATH\signature.cer"
Set-MsolDomainAuthentication -Debug -DomainName -Authentication Federated -ActiveLogOnUri -SigningCertificate $cer -PassiveLogOnUri -IssuerUri
-LogOffUri -PreferredAuthenticationProtocol Samlp

Identity provider


Important - addresses that are used should be HTTPS only.

$credentials = New-Object -Typename System.Management.Automation.PSCredential `
-Argumentlist @('your_admin_account, (ConvertTo-SecureString -String '*****' -AsPlainText -Force))
Connect-MsolService -Credential $credentials
Set-MsolDomainAuthentication -Debug -DomainName -Authentication Managed

Granting SSO for User

  1. Go to OpenIAM resources page.

Access to user

  1. Find a page with SSO resource

Resource name

  1. Click edit


  1. Add a user as required

Add user

Access granted.