Office 365 Domain Settings
This guide will walk you through configuring HelloID and Office 365 for SAML single sign-on. To Federate Office 365 with HelloID, a custom domain is required. The default domain *.onmicrosoft.com cannot be used for federation. To add a domain in Office 365 go to the Admin Center > Settings > Domains.
Before proceeding with the federation, make sure there is a backup admin account that is not a member of the domain which you want to federate. The following screenshot provides an example of these two types of accounts.
- SSOadmin: The default administrator account which is a member of the domain that is going to be federated.
- Backupadmin: Member of the *.onmicrosoft.com domain, the default domain.
Create a Service Provider Application for Office 365 in HelloID
1. Login as Administrator in the HelloID Portal and press manage portal. Go to Settings > Certificates and press Create Self-Signed Certificate to create a Certificate for Office 365. See How to use certificates for more information about creating and using certificates.
2. Go to Applications > Applications and press Open application catalog.
3. Search for the Office 365 SAML application template and press Add.
4. The Default settings do not need to be changed. Press Next to continue.
5. Select the certificate you created at the start of this guide and press Next.
6. In the Credential tab, select Credentials are configured by admin. The default settings for username and email do not need to be changed. Press Next to continue.
6. In the self service tab you can create a product if you wish.
7. Press Finish to complete the setup.
8. Press Edit to edit the newly created Office 365 application.
9. Press Download metadata. A file with all needed information for Office 365 will be created and downloaded.
Federate Office 365 with HelloID
1. Download the Windows Azure Active Directory Module for Windows PowerShell:
2. Run the Windows Azure Active Directory Module for Windows PowerShell as Administrator.
3. Connect to Office 365.
A Popup will appear to enter the credentials. Enter the credentials of the backup admin account and press OK. (The credentials are now available by using the variable $cred)
4. To connect with Office 365 enter:
Connect-MsolService –Credential $cred
5. Check if the domain is managed by Office 365. If the domain is already federated it needs to be reverted to managed. This can be checked with the command:
To revert a domain's Federation state to "Managed" use the following command:
Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>
6. Open the downloaded metadata file and configure the following settings
$dom = Your Office 365 domain
$url = Post-Endpoint URL (2)
$uri = Entity ID (1)
$logouturl = Entity ID with /Authentication/Signoff e.g. https://*.helloid.com/Authentication/Signoff
$cert = Copy paste the certificate (3)
Enter the information in Notepad so that the settings can be copied and pasted in PowerShell.
7. Paste the information in PowerShell and press Enter. This will create the PowerShell variables necessary for the command in the next step.
8. To create the federation with the configured strings enter the command:
Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom
-Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert
-IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
9. To check if all settings have been configured correctly use the command:
Get-MsolDomainFederationSettings -DomainName $dom
10. Go to: https://login.microsoftonline.com and enter a user in the federated domain.
11. You will be redirected to HelloID.
12. Enter the credentials of a user (this user must be enrolled in Office 365) and press Send verification mail. Enter the verification code and press Verify.
13. Press Continue to Office 365.
14. The user will be logged in to Office 365 portal.