The section below describes how to configure Single Sign-on (SSO) to Office365 with OpenIAM as the Identity Provider(IdP).
Add o365 as an Authentication Provider to OpenIAM
First, the user needs to have domain that is added to Office365 account. To do that, one needs to create OpenIAM authentication provider:
From the screenshot below we would need a signing key that we will upload later to Office365.
Additional information could be taken here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
Link to official Microsoft metadata: https://nexus.microsoftonlinep.com/federationmetadata/saml20/federationmetadata.xml
This metadata contains certificate (highlighted below) that we need to copy, save as certificate file and import it into OpenIAM.
Add OpenIAM as an IdP to your o365 Tenant
After OpenIAM side is configured - one needs to configure the Office365 side.
Assuming to have signature downloaded from OpenIAM to "YOUR_PATH\signature.cer", run the script below. Note that own IssuerUri should be used (could be found on OpenIAM metadata page - as shown on the screenshot below the script) and replace domain names:
$credentials = New-Object -Typename System.Management.Automation.PSCredential `-Argumentlist @('your_admin_account', (ConvertTo-SecureString -String '*****' -AsPlainText -Force))Connect-MsolService -Credential $credentials[string]$cer = Get-Content "YOUR_PATH\signature.cer"Set-MsolDomainAuthentication -Debug -DomainName openiamdemo.com -Authentication Federated -ActiveLogOnUri https://demo.openiamdemo.com/idp/saml2/idp/login -SigningCertificate $cer -PassiveLogOnUri https://demo.openiamdemo.com/idp/saml2/idp/login -IssuerUri https://demo.openiamdemo.com/idp/saml2/idp/login/8a8086e467c60f7f0167e067e4d5029f-LogOffUri https://demo.openiamdemo.com/idp/saml2/idp/logout -PreferredAuthenticationProtocol Samlp
Important - addresses that are used should be HTTPS only.
$credentials = New-Object -Typename System.Management.Automation.PSCredential `-Argumentlist @('your_admin_account, (ConvertTo-SecureString -String '*****' -AsPlainText -Force))Connect-MsolService -Credential $credentialsSet-MsolDomainAuthentication -Debug -DomainName openiamdemo.com -Authentication Managed
Granting SSO for User
- Go to OpenIAM resources page.
- Find a page with SSO resource
- Click edit
- Add a user as required