Microsoft Office 365 - WS-Federation SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jun 19, 2019Last modified by RSA Information Design and Development on Jun 25, 2019
Version 6Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Microsoft Office 365 using a WSFederation SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps in this section to configure RSA Cloud Authentication Service as an SSO Agent WSFederation STS / IdP to Microsoft Office 365.

Procedure

1. Sign into Cloud Administration Console and browse to UsersIdentity Sources.

Note:  Office 365 clients that use active endpoint, such as Outlook, Word, Excel require an Identity Source that uses the 'mail' attribute as the User Tag. Perform steps 2-3 to verify (and add) the identity source to support active endpoint. If not, skip to step 4.

2. Edit the Identity Source(s) that will be used in this integration and check if User Tag is set to mail.

3. If the User Tag is not set to mail, add another Identity Source with the same configuration except with User Tag set to mail and click Next Step.

4. Mark the following checkboxes and click Next Step.

  • Synchronize the selected policy attributes with the Cloud Authentication Service
  • objectGUID in Policies and Apps columns
  • userPrincipalName in Policies and Apps columns

5. Click Save and Finish.

6. Browse to Applications > Application Catalog, search for Microsoft Office 365 STS and click +Add to add the connector.

7. Enter a Name and click Next Step.

8. Take note of the Connection Profile settings and scroll down to the WS-Federation Response Signature section.

9. Upload the private key and certificate to be used for WS-Federation Response Signature and scroll down to the Relying Party section.

10. Verify the Relying Party settings and scroll down to the Claims section.

11. Configure the Claims settings and click Next Step.

  1. Add claims using the identity source with sAMAccountName User Tag to support the passive endpoint.
  2.  

    • Add claim with Claim Name as Immutable ID and Property as objectGUID.
    • Add claim with Claim Name as UPN and Property as userPrincipalName.
     
  3. Add claims using the identity source with mail User Tag to support the active endpoint.
  4.  

    • Add claim with Claim Name as Immutable ID and Property as objectGUID.
    • Add claim with Claim Name as UPN and Property as userPrincipalName.
     

12. Configure the Access Policy settings and click Next Step.

Note:  As of February 2018 Cloud Authentication Service release, Exchange and Active Sync clients report the client’s public IP address by the X-MS-Forwarded-Client–IP header. Non email clients (e.g. Word, Excel, and so on) using active endpoint report the client's IP address as null. Previously, all rich clients using active endpoint reported the client's IP address as 0.0.0.0. Consider this information when configuring the access policy that will be used with this application connector.

13. Configure the Portal Display settings and click Save and Finish.

14. Click Publish Changes and wait for the operation to complete.

 

Configure Microsoft Office 365

Perform these steps to integrate Microsoft Office 365 with RSA SecurID Access as a WSFederation SSO Agent.

Procedure

1. Log on to the Windows Azure AD Connect serve and open PowerShell.

2. Enter the following commands to connect to Azure Active Directory. Enter your Office 365 global admin account credentials when prompted.

$cred = Get-Credential

Note:  The username must be in the format <username>@<domain>.onmicrosoft.com

Connect-MsolService –Credential $cred

3. Enter the following commands to specify your federated authentication settings.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\WSFedSigningCertificate.pem")

where c:\temp\WSFedSigningCertificate.pem is the path to the same certificate used in RSA WSFederation Response Signature.

$certData = [system.convert]::tobase64string($cert.rawdata)

$domain = <your domain>

$IssuerUri = "https://<Identity Router FQDN>"

$LogOffUri = "https://<Identity Router FQDN>/LogoutServlet"

$ActiveLogOnUri = "https://<Identity Router FQDN>/trust/10/<domain>/STSServiceTransportUT"

$PassiveLogOnUri = "https://<Identity Router FQDN>/federation"

$MetadataExchangeUri = "https://<Identity Router FQDN>/metadata/5z3qvc6m0r3c/FederationMetadata/2007-06/FederationMetadata.xml”

4. Enter the following command to apply the federated authentication settings.

Set-MsolDomainAuthentication -DomainName $domain –Authentication Federated -ActiveLogOnUri $ActiveLogOnUri –IssuerUri $IssuerUri –LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri –MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $certData

5. Enter the following command to verify the federated authentication settings.

Get-MsolDomainFederationSettings –DomainName $domain | Format-List *

Configuration is complete.

 

You can revert back to non-federated authentication by entering the following command.

Set-MsolDomainAuthentication –DomainName $domain –Authentication Managed

 

Return to the main page for more certification related information.

 

Attachments

    Outcomes