Microsoft Entra ID / Office 365 SSO With PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This article will guide you through the steps to provide SAML Single-Sign-On to Entra ID (including such services as Office 365, Dynamics 365, CRM) using SAML with PhenixID Authentication Services as SAML IdP.

SAML2 for Office 365 enables SSO (Single Sign-on) for the office clients supporting ADAL:

• Web browsers
• Office 2016 desktop apps
• Office 2016 mobile apps

Prerequisites

• Microsoft Entra ID corporate domain registered
• Microsoft Entra ID tenant administrator username and password available
• Users provisioned to Microsoft Entra ID (Note: It is not possible to manually create test users in Microsoft Entra ID web administration).
• Microsoft Azure Active Directory Module for Windows PowerShell

Before you start

Make sure that the Azure AD tenant administrator username suffix is @yourcompany.onmicrosoft.com. The tenant administrator username suffix MUST NOT be the same as the Microsoft Entra ID domain name you are setting up for sso. This is to prevent administrator lockouts.

Instructions

1. Configure the appropriate authenticators

2. Setup PhenixID Authentication Services as a SAML IdP

3. Download the SAML IdP Metadata as a file.

4. Start Windows Windows Azure Active Directory Module for Windows PowerShell

5. Connect to

   Connect-MsolService
   

6. Login with your Azure AD administrator username and password.

7. Enter your Azure AD domain name.

   $dom = "<myoffice.domain.com>"
   

   Example:

   $dom = "office365demo.phenixid.net"
   

8. Enter the entityID of your IDP. This is fetched from the SAML IdP Metadata entityID value.

   $MyURI = "<EntityID_of_idp>"
   

   Example:

   $MyURI = "https://demo.phenixid.net/idp"
   

9. Enter the login URL of your idp. This is fetched from the SAML IdP Metadata SingleSignonService->Location value.

   $LogOnUrl = "<SSO Location>"
   

   Example:

   $LogOnUrl = "https://demo.phenixid.net/authenticate/selector"
   

10. Enter the logoff URL of your idp. This is fetched from the SAML IdP Metadata SingleLogoutService->Location value. If the value can not be found, use https://<phenixid_server/authenticate/logout>

    $LogOffUrl = "<Logout Location>"
    

    Example:

    $LogOffUrl = "https://demo.phenixid.net/authenticate/logout"
    

11. Enter the signing certificate value of your idp. This is fetched from the SAML IdP Metadata KeyDescriptor="signing" certificate value. Remove line breaks from the value.

    $MySigningCert = "<certificate_value>"
    

    Example:

    $MySigningCert = "MIIE/TCCA+WgAwIBAgIQJAchUFzczcaQzqSprMwf9TANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDMyMzAwMDAwMFoXDTE2MDMyMzIzNTk1OVowgYUxCzAJBgNVBAYTAlNFMRgwFgYDVQQIDA9TdG9ja2hvbG1zIGzDpG4xFTATBgNVBAcMDE5hY2thIFN0cmFuZDEUMBIGA1UECgwLUGhlbml4SUQgQUIxEDAOBgNVBAsMB1N1cHBvcnQxHTAbBgNVBAMMFGRvd25sb2FkLnBoZW5peGlkLnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3iDsnHZy4xzdt2XeO8YJ3TCEAwTaSWkccibvTObBrsSEqmpeIh2PAynifF8sf/OosyYrD1YG2Xq/hWs8CEwxvJcVD5cnfueJrhj30Iakmd0m78ntna1yyWkJfdY2f/jKr7GrNKmmXqpUn3O4NQFMTRyqgxQVkYyGXEYb+s6v+7Lkrhai9J46cNev7XX0wtoYB9nENuR+fZl8Y//p9j1yOvCpPBgl8cBVLN5Q2maXVkVj1ofp/pHVRUNPDzXtB7AEViXKr7huaK5q79E7bKQvpYsgVR648PRvCGCrNXKphhf8q2Ibzwf3bzacNBQXDzRHhc4JR3dZowcQvc0lHxlScQIDAQABo4IBbTCCAWkwHwYDVR0RBBgwFoIUZG93bmxvYWQucGhlbml4aWQuc2UwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUGA1UdIAReMFwwWgYKYIZIAYb4RQEHNjBMMCMGCCsGAQUFBwIBFhdodHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZGhdodHRwczovL2Quc3ltY2IuY29tL3JwYTAfBgNVHSMEGDAWgBRfYM9hkFXfhEMUimAqsvV69EMY7zArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNybDBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zcy5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAw7ugs6WdRAKvZvLcoLPmMqtL67Gm1aVAIeLF047gu/9tfBHlRLTIKCtcej6he1YkkvpOH+oidmOy44Pf0SFgLRnLK+Sgolzf8Ep1KcBsx1RwR0Lr+Cj87JFV5MAHLBF9hVO0/y1oLBlTqEpgzBEymlu05JisDQgX9vkZNkSQHIix9A8BMvngeaGELthJ+avIv8dc3x25IlwLwMwyXc8QEA6zRI+rpPEPdOa49ZNfLcveeBh1ejr9x7FpIMArNiMGtT1gu5rCxXEZE8qTDM5OMUAyY33qw6F9L+yEng94kFdO24OJH6sb7gTlef+2idy9xe5z/VLafmoUF44pXO5Iq"
    

12. Make the domain federated.

    Set-MsolDomainAuthentication -DomainName dom -Authentication Federated -IssuerUri MyURI -LogOffUri LogOffUrl -PassiveLogOnUri LogOnUrl -SigningCertificate $MySigningCert -PreferredAuthenticationProtocol "SAMLP"
    

13. Download Microsoft Entra ID SAML SP metadata file from here. Rename the downloaded file to Office365Metadata.xml.

14. Add new metadata according this article

15. Configure the authentication method(s) to be used for the Azure AD federation.

16. Modify the pipe(s) connected to the authenticators with the following configuration.

    1. Fetch the attributes userPrincipalName and <attribute_used_for_azure_ad_immutable_id_identifier> from the user data source. In this example, wbemPath contains the immutable id identifier. If Microsoft Entra ID Connect is used for provisioning the attribute used for immutable id is mS-DS-ConsistencyGuid. That attribute is binary and must be added as: "binary_attrs": "mS-DS-ConsistencyGuid"

    {
       "name":"LDAPSearchValve",
       "config":{
          "connection_ref":"MyAD",
          "base_dn":"ou=demo,DC=demo,DC=phenixid,DC=net",
          "scope":"SUB",
          "size_limit":"0",
          "filter_template":"(&(objectClass=user)(samaccountname={{request.username}}))",
          "attributes":"userPrincipalName,wbemPath"
       }
    }
    

    2. Copy property userPrincipalName to IDPEmail

    {
       "name":"PropertyCopyValve",
       "config":{
          "source":"userPrincipalName",
          "dest":"IDPEmail"
       }
    }
    

    3. Configure SAML assertion. Change targetEntityID to the id of your SAML Identity Provider.

    {
       "name":"AssertionProvider",
       "config":{
          "targetEntityID":"PhenixID_IdP",
          "nameIDAttribute":"wbemPath",
          "misc":{
             "excludeSubjectNotBefore":"true",
             "nameIdFormat":"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
             "signMessage":"false",
             "signAssertion":"true"
          },
          "sourceID":"urn:federation:MicrosoftOnline",
          "audienceRestriction":"urn:federation:MicrosoftOnline",
          "additionalAttributes":"IDPEmail"
       }
    }
    

17. Save the changes.

Test

1. Browse to your azure ad domain. (https://login.microsoftonline.com?whr=<your_azure_ad_domain>. Example: https://login.microsoftonline.com?whr=office365demo.phenixid.net)
2. This should result in a redirect to PhenixID Authentication Services
3. Select authentication method
4. Authenticate
5. You should now be logged in to Azure AD.

Tags

SAML 2 Identity Provider Federation Use Case: Federation of web services Use Case: Integrate with external systems Step by Step