3. In the Basic Information section, choose Cloud
4. On the Basic Information page, enter the name for the application in the Name field.
5. Click Next Step.

6. In the Connection Profile section, select IdP-initiated.

7. Enter the following values in the Service Provider section:
   • Assertion Consumer Service (ACS) URL: Enter the Microsoft ACS URL “https://login.microsoftonline.com/login.srf”
   • Service Provider Entity ID:  Enter the Microsoft Issuer "urn:federation:MicrosoftOnline".

8. In Identity Provider section, enter the Identity Provider URL.

Note: The Identity Provider URL will be required in the Microsoft O365 configuration.

9. In the Identity Provider Entity ID section, select  Default and leave the other value as it is.

10. In the Audience for SAML Response section, enter the same value as Service Provider Entity ID.

11.  In the Message Protection section, click Download Certificate.

12. In the User Identity section, select persistent from the Identifier Type dropdown list.
13.  From the Property dropdown list, select objectGUID.

14. In the Statement Attributes section, select the following Attributes.
    1.  First Attribute
       • Attribute Name > IDPEmail
       • Attribute Source > Identity Source.
       • Property > Enter the name used for the email attribute in your user directory (e.g., "mail")

1. 2. Second Attributes
      • Attribute Name > ImmutableID
      • Attribute Source > Identity Source
      • Property > Enter the name used for the object ID guid in your user directory (e.g., "objectGUID")

15. When using SAML 2.0 federation with Microsoft Entra ID, MFA done at the IdP is only accepted if the SAML response includes an MFA AuthnContext in the AuthnStatement. If this is missing or incorrectly configured, Microsoft Entra will assume MFA did not occur — and prompt users to register for Microsoft Authenticator or complete MFA again. There are two options to configure this MFA claim in the token:
    1. In the Authentication Context section, make sure to include the following value: http://schemas.microsoft.com/claims/multipleauthn

1. 2. Or It can be included in the assertion as part of the Statement Attributes as:
      • • Attribute Name > Enter http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
        • Attribute Source > Select Constant
        • Property > Enter http://schemas.microsoft.com/claims/multipleauthn

Note: While including the AuthnContext/Statement Attribute is not a mandatory requirement in the configuration, it is strongly recommended to ensure Microsoft Entra recognizes the upstream MFA and avoids prompting users again.

16. Click Next Step.
17. On the User Access page, choose the Access Policy that will define which users are permitted to access the Microsoft O365 service provider.
18. Click Next Step.

19. On the Portal Display page, configure the portal display and other settings.
20. Click Save and Finish.

21. Click Publish Changes and wait for the operation to complete.

22. After publishing, your application is now enabled for SSO. 

Configure Microsoft O365

Perform these steps to configure Microsoft O365.

Procedure

1. Log in to Microsoft O365 with admin credentials at https://office.com
2. Click the Admin icon from the left panel.

3. You will be redirected to Microsoft 365 admin center.
4. Go to Settings > Domains to verify your custom domain name.

5. After your domain is verified, click Identity from the left panel. The Microsoft Entra admin center page will open automatically.

6. In Identity > Settings > Domain names, ensure that the domain previously entered is listed on the custom domain names page. If not, click Add Custom Domain to verify your domain.

7. Run Windows PowerShell as an administrator and connect to your Office 365 instance with the following command. You need to login with your Office 365 Tenant administrator account.

Note: This admin account should be in a separate domain than the one that will be federated (e.g. a member of the default domain that is provided by Microsoft).

Connect-MgGraph

8. Retrieve all domains for the company (verified or unverified) to identify the domain which should be federated.

9. Run the following commands in a PowerShell environment, most of the values come from CAS section:
   1. domain: Enter the domain identified in the previous step for which you want to enable SSO.
   2. brandName: Provide a name to identify your Identity Provider (e.g., RSA – My Page).
   3. IssuerUri: Use the Identity Provider Entity ID configured in the CAS.
   4. LogOnUri: Use the Identity Provider Entity ID configured in the CAS.
   5. Protocol: Enter “saml”.
   6. certData: Configure the signing certificate by following these steps:
      • Download the certificate and save it to a folder (e.g., C:\Users\my.name\Downloads).
      • Use the following PowerShell commands to process the certificate and assign it to the certData variable.
      • If entering the command manually, ensure the character in "r|n" is a backtick, not a single quote. 

  $cert = "C:\Users\my.name\Downloads\IDPSigningCertificate.pem"
  $certData = $(Get-Content -Path $cert -Raw) -replace"`r|`n|-----BEGIN CERTIFICATE-----|-----END CERTIFICATE-----",""

• Note: When using these variables, ensure you include the $ symbol before the variable name (e.g., $domain, $brandName, etc.).

10. After defining the parameters, issue the following command. A successful run of command should not return any errors.

11. After applying the new domain federation configuration, you will be prompted to provide the internal domain federation ID. To retrieve this value, run the following command:

12. To verify if the domain is configured successfully, run the following command with your domain name and the result must show the same values as used in the script variables above.

Test your application integration

1. Go to Office 365 Sign in page.
2. Enter the email of a test user that utilizes the newly federated domain, and you will be redirected to the Sign in portal.

3. Enter your User ID and Password.
4. After successful authentication, you will be redirected to your Office 365 landing page.

• Ensure that the Microsoft Graph PowerShell SDK is installed and that all necessary permissions have been granted before running these commands.
• Office 365 Single Sign-On (SSO) can only be enabled for domains that have been verified in Microsoft Entra ID.
• SSO is not supported for default “onmicrosoft.com” domains provided by Microsoft.
• If your organization doesn't yet have a custom domain for Office 365, one must be purchased to enable SSO
• When configuring the signing certificate in PowerShell, use the backtick character (`), typically located just to the left of the “1” key on your keyboard.
• If you need to modify any configuration settings made in Windows PowerShell following the federation of the necessary domain, utilize the command "Update-MgDomainFederationConfiguration " rather than "New-MgDomainFederationConfiguration " as the domain has already been federated.
• All the users that will be authenticated via SAML must have an immutableID set. Users that do not show an ImmutableID, will not be able to log in using SAML.

Get-MgUser -All -Property UserPrincipalName,OnPremisesImmutableId | Select-Object UserPrincipalName,OnPremisesImmutableId 

• You can revert-back to non-federated authentication by entering the following command: 

Update-MgDomain -DomainId "yourdomainname.com" -BodyParameter @{AuthenticationType="Managed"}

The configuration is complete.