This section describes how to integrate RSA SecurID Access with Microsoft Office 365 using a SAML SSO Agent.
Configure RSA Cloud Authentication Service
Perform these steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Microsoft Office 365.
Note: This configuration works with both IdP-Initiated and SP-Initiated SAML workflows.
1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Microsoft Office 365, and click +Add to add the connector.
2. Enter a Name and click Next Step.
3. Configure the Initiate SAML Workflow settings and scroll down to the SAML Identity Provider (Issuer) section.
- Enter the following into the Connection URL field:
- Select IDP-Initiated.
4. Configure the SAML Identity Provider (Issuer) settings and scroll down to the Service Provider section.
- Specify the Identity Provider URL. The default should be OK for most deployments.
- Set Issuer Entity ID to Override and specify above mentioned Identity Provider URL.
- Upload the SAML Response Signature private key and certificate.
- Mark the Include Certificate in Outgoing Assertion checkbox.
5. Configure the Service Provider settings and scroll down to the User Identity section.
- Enter the following text into the Assertion Consumer Service (ACS) URL field:
- Enter the following text into the Audience (Service Provider Entity ID) field:
6. Configure the User Identity settings and click Show Advanced Configuration.
- Set Identifier Type to persistent.
- Set Identity Source to the identity source which contains your Office 365 users.
- Set Property to objectGUID.
7. Configure the Attribute Extension settings and scroll down to the Uncommon Formatting SAML Response Options section.
- Add an extension with Attribute Name ImmutableID with your Identity Source and Property objectGUID.
- Add an extension with Attribute Name IDPEmail with your Identity Source and Property mail.
8. Set Sign Outgoing Assertion to Assertion within response and click Next Step.
9. Configure the Access Policy settings and click Next Step.
10. Configure the Portal Display settings and click Save and Finish.
11. Browse to Applications > My Applications, locate your Microsoft Office 365 connector and click Edit > Export Metadata. A file called Microsoft_Office_365-idp-metadata.xml will download.
12. Click Publish Changes and wait for the operation to complete.
Configure Microsoft Office 365
Perform these steps to integrate Microsoft Office 365 with RSA SecurID Access as a SAML SSO Agent.
1. Log on to the Windows Azure AD Connect serve and open PowerShell.
2. Enter the following commands to connect to Azure Active Directory. Enter your Office 365 global admin account credentials when prompted.
$cred = Get-Credential
Note: The username must be in the format <username>@<domain>.onmicrosoft.com
Connect-MsolService –Credential $cred
3. Enter the following commands to specify your federated authentication settings.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\IDPSigningCertificate.pem")
where, c:\temp\IDPSigningCertificate.pem is the path to the same certificate used in RSA SAML Response Signature.
$certData = [system.convert]::tobase64string($cert.rawdata)
$domain = <your_domain>
$cloudURL = <RSA IdP URL>
Note: RSA IdP URL can be found in the downloaded IdP metadata file. It is formatted like this: ”https://<RSA Identity Router Portal FQDN>/IdPServlet?idp_id=<idp_id>”
$logOffURL = https://login.microsoftonline.com
4. Enter the following command to apply the federated authentication settings.
Set-MsolDomainAuthentication –DomainName $domain –FederationBrandName $domain -Authentication Federated –ActiveLogOnUri $cloudURL –IssuerUri $cloudURL -LogOffUri $logOffURL –PassiveLogOnUri $cloudURL –SigningCertificate $certData –PreferredAuthenticationProtocol “SAMLP”
5. Enter the following command to verify the federated authentication settings.
Get-MsolDomainFederationSettings –DomainName $domain | Format-List *
Configuration is complete.
You can revert back to non-federated authentication by entering the following command.
Set-MsolDomainAuthentication –DomainName $domain –Authentication Managed
Return to the Configuration Summary.