This article describes how to integrate Microsoft Office 365 with Cloud Access Service (CAS) using IDR SSO.

Configure CAS

Perform these steps to configure CAS as an IDR SSO to Microsoft Office 365.

Procedure

1. Sign in to the RSA Cloud Administration Console.
2. Navigate to Applications > Application Catalog page, search for Microsoft Office 365, and click Add to add connector.
   
3. On the Basic Information page, enter the name for the application in the Name field.
4. Choose Identity Router and click Next Step.
   
5. In the Connection Profile section, select IdP-initiated option.
6. Enter Connection URL: https://login.microsoftonline.com/login.srf.
   
7. In the Identity Provider section: 
   1. Note the Identity Provider URL as it will be required in the Microsoft O365 configuration.
   2. Keep the Identity Provider Entity ID unchanged as it remains the default setting.
      
8. You must import a private/public key pair to sign and validate SAML assertions. If you do not have one readily available, follow the steps to generate a certificate bundle. Otherwise, continue to the next step.
   1. Click the Generate Certificate Bundle in the SAML Response Signature section.
   2. Enter a common name for your Identity Router domain in the Common Name (CN) field.
   3. Click Generate and Download, save the certificate bundle ZIP file to a secure location, and extract its contents. The ZIP file will contain a private key, a public certificate, and a certificate signing request.
      
9. Provide the Service Provider details in the following format:
   1. Assertion Consumer Service (ACS) URL: Enter the Microsoft ACS URL “https://login.microsoftonline.com/login.srf”.
   2. Service Provider Entity ID: Enter the Microsoft Issuer "urn:federation:MicrosoftOnline".
      

10. Under the User Identity section, configure Identifier Type, Identity Source, and Property as follows: 
    1. Identifier Type: persistent
    2. Identity Source: Select your Identity Source
    3. Property: objectGUID
       
11. Under the Attributes Extension section, add the following attributes:
    1. First attribute: 
       • Attribute Source: Identity Source
       • Attribute Name: IDPEmail
       • Identity Source: Select the identity source that will be used.
       • Property: Select the email attribute in your user directory from the drop-down list (for example, 'mail')
    2. Second attribute:
       • Attribute Source: Identity Source
       • Attribute Name: ImmutableID
       • Identity Source: Select the identity source that will be used.
       • Property: Select the property used for object GUID attribute in your user directory from the drop-down list (for example, 'objectGUID').
         

12. Click Next Step.
13. On the User Access page, select the access policy the identity router will use to determine which users can access the Microsoft O365 service provider and click Next Step.
    
14. On the Portal Display page, configure the portal display and other settings.
15. Click Save and Finish.
    
16. Click Publish Changes and wait for the operation to complete.
    
    After publishing, your application is enabled for SSO.
    

Configure Microsoft Office 365

Perform these steps to configure Microsoft Office 365.
Procedure

1. Log in to Microsoft Office 365 with admin credentials at https://office.com.
2. Click the Admin icon in the sidebar.
   
   You will be redirected to the Microsoft 365 admin center.
3. Go to Settings > Domains to verify your custom domain name.
   
4. After your domain is verified, click Identity in the navigation menu on the left. The Microsoft Entra admin center page will open automatically.
   
5. Under Identity > Settings > Domain names, ensure that the domain previously entered is listed on the custom domain names page. If not, click Add Custom Domain to verify your domain.
   
6. Run Windows PowerShell as an administrator.
   • Connect to your Office 365 using the command: Connect-MsolService.
   • Log in with your Office 365 tenant administrator account.
     
     Note: This admin account should be in a separate domain from the one that will be federated (for example, a member of the default domain provided by Microsoft).

7. Retrieve all domains for the company (verified or unverified) to identify the domain that should be federated using the command: Get-MsolDomain.
8. Run the following script in a PowerShell environment. Most of the values come from RSA Cloud Authentication Service configuration section:
   1. $domain: Enter the domain for which you would like to enable SSO.
   2. $BrandName: Enter a name to identify your IdP (for example, RSA SAML).
   3. $LogOnUrl: Enter the Identity Provider URL used in the RSA Cloud Authentication Service configuration.
   4. $LogOffUrl: Enter the landing page URL when the user logs out (for example, https://login.microsoftonline.com/login.srf)
   5. $SigningCert: Follow these steps to configure the signing certificate and set the $SigningCert variable:
      • Download the certificate and save it to a folder, for example, C:\Users\my.name\Downloads.
      • Use these PowerShell commands to process the certificate and set the $SigningCert variable:
        
        Note that if typing the command manually, the character in "`r|`n" is a backtick (not a single quote).
      • Verify the content of $SigningCert by typing it at the PowerShell prompt to ensure it contains the correct Base64-encoded certificate string. This method avoids manual editing and reduces the chance of error.
   6. $uri: Enter the Identity Provider URL value used in the RSA Cloud Authentication Service configuration.
   7. $Protocol: SAMLP
      
9. After defining the parameters, run the following command. A successful run of the command should not return any errors.
   
10. To verify if the domain is configured to use SAML, use the following command with your domain. The result should show the same values as used in the preceding script variable.
11. All the users authenticated by SAML must have an immutableID set. Users without an ImmutableID cannot log in. To identify users without an immutableID set, run the following PowerShell command.
    

Test Your Application Integration

1. Go to the Office 365 login page and enter the e-mail of a test user who utilizes the newly federated domain to be redirected to the login portal.
   
   
2. Enter your User ID and Password.
   
   After successful authentication, you will be redirected to your Office 365 landing page.
   

Notes:

• Make sure you have the MSOnline PowerShell module installed by using Install-Module -Name MSOnline.
• Office 365 SSO can be enabled only for domains that are verified in Microsoft Entra ID.
• Office 365 SSO cannot be enabled for “onmicrosoft.com” domains that are created by Microsoft.
• If your organization does not have a custom Office 365 domain, you need to purchase one to configure SSO. Federated domains, which are domains where SSO has been enabled, cannot be configured for password synchronization.
• The backtick used when setting the signing certificate is normally located to the left of the "1" key on your keyboard.
• To modify any configuration settings made in Windows PowerShell after federating the necessary domain, use the command Set-MsolDomainFederationSettings instead of Set-MsolDomainAuthentication as the domain is already federated.
• To revert to non-federated authentication, use the following command: Set-MsolDomainAuthentication –DomainName $domain –Authentication Managed.

The configuration is complete.
Return to Microsoft Office 365 - RSA Ready Implementation Guide