Microsoft Office 365 - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jun 19, 2019Last modified by RSA Information Design and Development on Jun 25, 2019
Version 6Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Microsoft Office 365 using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Microsoft Office 365.

Note:  This configuration works with both IdP-Initiated and SP-Initiated SAML workflows.

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Microsoft Office 365, and click +Add to add the connector.

2. Enter a Name and click Next Step.

3. Configure the Initiate SAML Workflow settings and scroll down to the SAML Identity Provider (Issuer) section.

  1. Enter the following into the Connection URL field:
  2. https://login.microsoftonline.com

  3. Select IDP-Initiated.

4. Configure the SAML Identity Provider (Issuer) settings and scroll down to the Service Provider section.

  1. Specify the Identity Provider URL.  The default should be OK for most deployments.
  2. Set Issuer Entity ID to Override and specify
  3. urn:uri:<idp_id>

     

    Note:  The <idp_id> value must be sufficiently unique as not to conflict with other customers within the same Microsoft Azure AD/Office 365 infrastructure.

     
  4. Upload the SAML Response Signature private key and certificate.
  5. Mark the Include Certificate in Outgoing Assertion checkbox.

5. Configure the Service Provider settings and scroll down to the  User Identity section.

  1. Enter the following text into the Assertion Consumer Service (ACS) URL field:
  2. https://login.microsoftonline.com/login.srf

  3. Enter the following text into the Audience (Service Provider Entity ID) field:
  4. urn:federation:MicrosoftOnline

6. Configure the User Identity settings and click Show Advanced Configuration.

  1. Set Identifier Type to persistent.
  2. Set Identity Source to the identity source which contains your Office 365 users.
  3. Set Property to objectGUID.

7. Configure the Attribute Extension settings and scroll down to the Uncommon Formatting SAML Response Options section.

  1. Add an extension with Attribute Name ImmutableID with your Identity Source and Property objectGUID.
  2. Add an extension with Attribute Name IDPEmail with your Identity Source and Property mail.

8. Set Sign Outgoing Assertion to Assertion within response and click Next Step.

9. Configure the Access Policy settings and click Next Step.

10. Configure the Portal Display settings and click Save and Finish.

11. Browse to ApplicationsMy Applications, locate your Microsoft Office 365 connector and click EditExport Metadata.  A file called Microsoft_Office_365-idp-metadata.xml will download.

12. Click Publish Changes and wait for the operation to complete.

 

Configure Microsoft Office 365

Perform these steps to integrate Microsoft Office 365 with RSA SecurID Access as a SAML SSO Agent.

Procedure

1. Log on to the Windows Azure AD Connect serve and open PowerShell.

2. Enter the following commands to connect to Azure Active Directory. Enter your Office 365 global admin account credentials when prompted.

$cred = Get-Credential

Note:  The username must be in the format <username>@<domain>.onmicrosoft.com

Connect-MsolService –Credential $cred

3. Enter the following commands to specify your federated authentication settings.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\IDPSigningCertificate.pem")

where, c:\temp\IDPSigningCertificate.pem is the path to the same certificate used in RSA SAML Response Signature.

$certData = [system.convert]::tobase64string($cert.rawdata)

$domain = <your_domain>

$cloudURL = <RSA IdP URL>

Note:  RSA IdP URL can be found in the downloaded IdP metadata file.  It is formatted like this: ”https://<RSA Identity Router Portal FQDN>/IdPServlet?idp_id=<idp_id>”

$logOffURL = https://login.microsoftonline.com

4. Enter the following command to apply the federated authentication settings.

Set-MsolDomainAuthentication –DomainName $domain –FederationBrandName $domain -Authentication Federated –ActiveLogOnUri $cloudURL –IssuerUri $cloudURL -LogOffUri $logOffURL –PassiveLogOnUri $cloudURL –SigningCertificate $certData –PreferredAuthenticationProtocol “SAMLP”

5. Enter the following command to verify the federated authentication settings.

Get-MsolDomainFederationSettings –DomainName $domain | Format-List *

Configuration is complete.

 

You can revert back to non-federated authentication by entering the following command.

Set-MsolDomainAuthentication –DomainName $domain –Authentication Managed

 

Return to the Configuration Summary.

 

Attachments

    Outcomes