Configuring SAML SSO for Office 365
Office 365 allows for users to utilize Single Sign-On into Office 365 accounts with one set of login credentials, eliminating user-managed passwords and the risk of phishing. Office 365 Single Sign-On set up leverages the existing on-premise Active Directory infrastructure and provides seamless integration without the need to manage multiple on-premise and cloud identities.
Prerequisites
- Verify your on-premise UPN Domain in Azure AD/Office 365 Tenant
- Install, Configure, & Link Office 365 and on-premises Active Directory user accounts using Azure AD connect
- Sync on-premise Active Directory with Azure Active Directory
- Global Admin Access of Office 365 Tenant to Connect using Powershell
- zGateway with Public DNS name and valid SSL Certificate
- zGateway management console using a Security Officer Account
- Shell Access to zGateway
Limitations
- Office 365 SSO can be enabled only for domains that are verified in Azure AD.
- Office 365 SSO cannot be enabled for “onmicrosfot.com” domains that are created by Microsoft.
- Office 365 SSO cannot be enabled for the default domain (the primary domain in which users are created). It can only be configured for custom domains.
- Office 365 prohibits SSO configurations for default domains to ensure that administrators acn log into Office 365 regardless of issues with the identity provider.
- If your organization does not have a custom Office 365 domain, you need to purchase one in order to configure SSO. Federated domains, i.e., doamins in which SSO has been enabled, cannot be configured for password synchronization.
Configurations
Setting up Office 365 in zGateway (Identity Provider):
- Login with a digital certificate in zGateway using a Security Officer Account.
- Go to “Access management > Applications” and click on Add.
- Create a new application as Office365.
- Add Office365 app into New/Existing Application Groups.
- Create/Update an “Application Access” in New/Existing “Access Controls”.
- Verify SAML SSO Certificate in zGateway. (Ensure the files are available in zGateway. If the files are not present, use the command following comand to create them.)
- Copy the content of the SAML SSO Certificate SAML_Signing_Certificate. (This Certificate is required when Federating the Office 365 domain with zGateway. Ensure while copying the content that there are no new lines in the SAML SSO Certificate.)
Setting up Office 365 in zGateway (Service Provider):
- Open PowerShell with admin rights and install the MSOnline Module.
- Connect with MsolService using the following command in PowerShell.
- Login to Office 365 Tenant with aGlobal Administrator Account.
- Get all Domains using the following command in PowerShell.
- Sign into the Office 365 portal as a Global administrator. (To update your default domain in Office 365 Tenant, Go to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/Domains)
- To configure amzetta.cloud as a federated domain, run the following command in PowerShell to enable SSO in Office 365.
- Verify Domain Status and Federation configuration using the following command.
- Reconfigure or update SSO settings.