Single Sign on with Office 365

Single Sign on with Office 365

Single Sign on with office 365 is mostly used by organization to provide seamless experience to their end users. This article will help you setting up Single Sign on with office 365 using ADFS 3.0. Before we start setting up Single Sign on with office 365 using ADFS 3.0, let’s review few important per-requisites for SSO.

You can also download the complete guide on Setting up Single Sign on with office 365 from Technet

  1. You need internet route-able domain name to setup SSO. e.g. contoso.com, mstechtalk.com etc
  2. SSL Certificate from public certificate authorities like GoDaddy
  3. Office 365 global admin permission
  4. Service account for ADFS 3.0
  5. Web Application Proxy
  6. AAD Sync tool to synchronize identities with Office 365

If you have a internal domain name which is not routeable to the internet then you will have to add a custom UPN suffix that matches external name space. You can add UPN Suffix to your forest by following the instructions provided on Microsoft Knowledge Base.

Lab Details

Currently i’ve the following infrastructure in my lab for setting up Single Sign on with Office 365.

  • 2 x Windows Server 2012 R2 Domain controller (Domain Name: enpointelab.net)
  • 1 x Azure AD Sync tool
  • 1 x Windows 2012 R2 servers for ADFS 3.0 in production zone
  • 1 x windows 2012 R2 servers in DMZ for Web Application Proxy

Let’s get started with the lab and setup Single Sign on with office 365.

Activate Single Sign on

Before we start installing ADFS 3.0, we need to first enable Single Sign on in office 365. To activate single sign on in office 365 follow the steps as shown below.

****Before we start this step i assume you’ve already setup your office 365 tenant and configured your custom domain in office 365******

To activate Single Sign on, Go to Office 365 portal –> Active Users –> Click on Set Up as shown below

Single Sign on with office 365 Single Sign on with Office 365

Once you’re done with your planning & preparation for single sign on, move on to 2nd Step and deploy your ADFS servers.

Create SSL Certificate Request for AD FS 3.0

Before we start installing and configuring AD FS 3.0 for Single Sign on, Let’s first create the SSL certificate request to procure a SSL certificate from public authority like GoDaddy.

****I’ve procured my SSL certificate from GoDaddy for this lab****

To create a SSL certificate request, Go to MMC Console

1

Click on Add/Remove Snap-in and Select Certificate and click on Add button

 

2

Select Computer Account and click next

3

Right click on Personal –> All Tasks –> Advanced Options –> Create Custom Request

4

Certificate enrollment wizard will start, click on Next

5

Click Next

6

Click Next

7

Click Next8

Click on Details9

Click on Properties10

Enter friendly name of your certificate.  Click Subject Tab

12

From the drop down menu, select Common name and provide the value and click on Add button

13

Click on Private key tab14

Select Key Size and checkbox for “Make Private Key exportable” and click on Apply and hit OK.

15

Click Next

16

Click Finish. Copy the request file and provide to your SSL certificate provider and procure the certificate. Once procured, complete the certificate request.

Import SSL Certificate

Once you got the certificate from public DNS provider. Go to mmc –> Add/Remove Snap-in –> Certificate –> Computer Certificate –>

Personal –> Right click –> All Tasks –> Import

1

2

3

4

5

6

Installing AD FS 3.0

To install AD FS 3.0, Go to Server Manager –> Add roles and Features

3

4

5

6

7

7

1

2

3

4

We’re done with the installation of our first ADFS 3.0 server.

Configure AD FS 3.0

As we’re done with the installation of AD FS 3.0 on first server, lets follow the steps to configure AD FS 3.0

Go to server Manager –> Click Configure the Federation Service on this Server

1

2

3

4

5

6

We’re using Windows Internal Database for AD FS deployment, WID can support up to 5 AD FS servers in AD FS server farm and use SQL Express 2012 with a limitation of 10 GB database size.

7

8

9

10

Your ADFS 3.0 server is installed and configured now. To test your ADFS deployment, please go to https://fs.mydomain.com/adfs/ls/IdpInitiatedSignon.aspx. I’ve created “A” record in my DNS for “FS” pointing to ADFS server. After installing the 2nd ADFS server, I’ll add that server to my load balancer as well.

1

Configure Single Sign on with office 365

As we’re done with the installation and configuration of our ADFS server farm, it’s the time to configure SSO with office 365 using PowerShell. Download and install Windows Azure Active Directory Module from Microsoft on your domain joined server. Run Windows Azure Powershell as administrator and connect to your office 365 tenant using global admin credentials.

1

2

Once you’re connected with office 365, run the cmdlet Set-MSOLADFSContext -Computer “Computer FQDN” and then run Convert-MSOLDomaintoFederated -DomainName “DomainName”

3

 

If you have multiple domains and would like to setup Single Sign on for multiple domains then please also use -SupportMultipleDomains switch with Convert-MsolDomaintoFederated cmdlet.

Now your domain is federated with office 365. Next step is to install and configure AAD Sync tool to synchronize the identities with office 365. You can install and configure the AAD Sync tool by following the steps mentioned here.

Install and Configure Web Application Proxy

Before we start the installation of Web Application Proxy, we need

  • ADFS SSL certificate on WAP server. Export the certificate from ADFS server and import on WAP server.
  • External DNS Record: Create external DNS record for the ADFS proxy server.
  • Port 80 & 443 should be open on your firewall.

To install WAP, Go to Server manager and click on ADD Roles and Features

1

2

3

4

5

6

7

8

9

10

11

12

13 14 15

16

17

18
 Publish AD FS using WAP

Go to wap administration console and click on Publish.

1

2

3

4

5

6

7

 

We’re now done with setting up Single Sign on with Office 365 using AD FS 3.0. I hope this article helps you to configure Single Sign on with office 365. You can download this guide from Technet as well. Happy deployment !!!