Single Sign on with Office 365
Single Sign on with Office 365
Single Sign on with office 365 is mostly used by organization to provide seamless experience to their end users. This article will help you setting up Single Sign on with office 365 using ADFS 3.0. Before we start setting up Single Sign on with office 365 using ADFS 3.0, let’s review few important per-requisites for SSO.
You can also download the complete guide on Setting up Single Sign on with office 365 from Technet
- You need internet route-able domain name to setup SSO. e.g. contoso.com, mstechtalk.com etc
- SSL Certificate from public certificate authorities like GoDaddy
- Office 365 global admin permission
- Service account for ADFS 3.0
- Web Application Proxy
- AAD Sync tool to synchronize identities with Office 365
If you have a internal domain name which is not routeable to the internet then you will have to add a custom UPN suffix that matches external name space. You can add UPN Suffix to your forest by following the instructions provided on Microsoft Knowledge Base.
Currently i’ve the following infrastructure in my lab for setting up Single Sign on with Office 365.
- 2 x Windows Server 2012 R2 Domain controller (Domain Name: enpointelab.net)
- 1 x Azure AD Sync tool
- 1 x Windows 2012 R2 servers for ADFS 3.0 in production zone
- 1 x windows 2012 R2 servers in DMZ for Web Application Proxy
Let’s get started with the lab and setup Single Sign on with office 365.
Activate Single Sign on
Before we start installing ADFS 3.0, we need to first enable Single Sign on in office 365. To activate single sign on in office 365 follow the steps as shown below.
****Before we start this step i assume you’ve already setup your office 365 tenant and configured your custom domain in office 365******
To activate Single Sign on, Go to Office 365 portal –> Active Users –> Click on Set Up as shown below
Once you’re done with your planning & preparation for single sign on, move on to 2nd Step and deploy your ADFS servers.
Create SSL Certificate Request for AD FS 3.0
Before we start installing and configuring AD FS 3.0 for Single Sign on, Let’s first create the SSL certificate request to procure a SSL certificate from public authority like GoDaddy.
****I’ve procured my SSL certificate from GoDaddy for this lab****
To create a SSL certificate request, Go to MMC Console
Click on Add/Remove Snap-in and Select Certificate and click on Add button
Select Computer Account and click next
Right click on Personal –> All Tasks –> Advanced Options –> Create Custom Request
Certificate enrollment wizard will start, click on Next
Enter friendly name of your certificate. Click Subject Tab
From the drop down menu, select Common name and provide the value and click on Add button
Select Key Size and checkbox for “Make Private Key exportable” and click on Apply and hit OK.
Click Finish. Copy the request file and provide to your SSL certificate provider and procure the certificate. Once procured, complete the certificate request.
Import SSL Certificate
Once you got the certificate from public DNS provider. Go to mmc –> Add/Remove Snap-in –> Certificate –> Computer Certificate –>
Personal –> Right click –> All Tasks –> Import
Installing AD FS 3.0
To install AD FS 3.0, Go to Server Manager –> Add roles and Features
We’re done with the installation of our first ADFS 3.0 server.
Configure AD FS 3.0
As we’re done with the installation of AD FS 3.0 on first server, lets follow the steps to configure AD FS 3.0
Go to server Manager –> Click Configure the Federation Service on this Server
We’re using Windows Internal Database for AD FS deployment, WID can support up to 5 AD FS servers in AD FS server farm and use SQL Express 2012 with a limitation of 10 GB database size.
Your ADFS 3.0 server is installed and configured now. To test your ADFS deployment, please go to https://fs.mydomain.com/adfs/ls/IdpInitiatedSignon.aspx. I’ve created “A” record in my DNS for “FS” pointing to ADFS server. After installing the 2nd ADFS server, I’ll add that server to my load balancer as well.
Configure Single Sign on with office 365
As we’re done with the installation and configuration of our ADFS server farm, it’s the time to configure SSO with office 365 using PowerShell. Download and install Windows Azure Active Directory Module from Microsoft on your domain joined server. Run Windows Azure Powershell as administrator and connect to your office 365 tenant using global admin credentials.
Once you’re connected with office 365, run the cmdlet Set-MSOLADFSContext -Computer “Computer FQDN” and then run Convert-MSOLDomaintoFederated -DomainName “DomainName”
If you have multiple domains and would like to setup Single Sign on for multiple domains then please also use -SupportMultipleDomains switch with Convert-MsolDomaintoFederated cmdlet.
Now your domain is federated with office 365. Next step is to install and configure AAD Sync tool to synchronize the identities with office 365. You can install and configure the AAD Sync tool by following the steps mentioned here.
Install and Configure Web Application Proxy
Before we start the installation of Web Application Proxy, we need
- ADFS SSL certificate on WAP server. Export the certificate from ADFS server and import on WAP server.
- External DNS Record: Create external DNS record for the ADFS proxy server.
- Port 80 & 443 should be open on your firewall.
To install WAP, Go to Server manager and click on ADD Roles and Features
Go to wap administration console and click on Publish.
We’re now done with setting up Single Sign on with Office 365 using AD FS 3.0. I hope this article helps you to configure Single Sign on with office 365. You can download this guide from Technet as well. Happy deployment !!!