Configuring Office365 SAML2 with WSO2 Identity Server¶
This tutorial guides you through configuring SAML2 authentication for Office365 with WSO2 Identity Server (WSO2 IS). Follow the instructions in the sections below to set this up.
The flow¶
The diagram below demonstrates the flow of how Microsoft Office365 uses WSO2 Identity Server as a SAML2 federated authenticator to authenticate a user.
Prerequisites¶
-
Office 365 Business Account with access to the Office 365 Admin Portal.
Tip
If you do not already have an account, you can use a 30-day trial version to try out this feature.
-
Add a new domain to Office 365 using the Office 365 Admin Portal . For instructions on how to do this, see Add A Domain to Office 365 in the Microsoft documentation.
Tip
Office 365 SSO requires an internet-resolvable domain name to use as the suffix in each user’s username. You cannot federate the default domain that is provided by Microsoft that ends with "onmicrosoft.com".
You can register a free domain using a site such as www.dot.tk if you do not already have a registered domain name.
-
A Windows platform Windows Azure Active Directory Powershell installed. If you do not already have the Azure AD module, run the following commands to install the required modules.
#uninstall any existing older version of the AzureAD module uninstall-module AzureAD install-module AzureAD install-module AzureADPreview install-module MSOnline
Configuring the WSO2 IS issuer¶
-
Navigate to
<IS_HOME>/bin/
and run the following command to start WSO2 Identity Server.- On Windows
.\wso2server.bat
- On Linux/Unix
sh wso2server.sh
-
Access the following URL and log in to the management console:
<https://localhost:9443/carbon/>
-
Click Resident Identity Provider under Identity Providers on the Main tab.
- Expand the Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration.
- Enter "
wso2.microsoft"
as the Identity Provider Entity Id value.
Configuring the claims¶
-
Click Add under Claims and then click Add Local Claim.
Add the following local claims.Field Sample value Dialect URI
http://wso2.org/claims
Claim URI
http://wso2.org/claims/upn
Display Name *
userPrincipalName
Description
userPrincipalName
Mapped Attribute (s) *
User Store Domain Name: PRIMARY
Mapped Attribute: userPrincipalName
Supported by Default
true
Field Sample value Dialect URI
http://wso2.org/claims
Claim URI
http://wso2.org/claims/objectguid
Display Name
ObjectGuid
Description
ObjectGuid
Mapped Attribute (s) *
User Store Domain Name: PRIMARY
Mapped Attribute: objectGuid
Supported by Default
true
Remove unsupported claims
The following attributes are not supported by Active Directory by default. Disable the following claims in WSO2 Identity Server to avoid errors when updating the user profile.
To disable the claims, do the following.
- Click List under Claims and select the http://wso2.org/claims dialect.
- Click Edit next to the following claims and unselect the Supported
by Default checkbox to disable the claim.
- Country
- Organization
- IM
Configuring the service provider¶
- Click Add under Service Providers and create a new service provider called 'Office365'.
-
Expand Inbound Authentication Configuration and then expand SAML2 Web SSO Configuration.
Configure the following fields and leave the rest of the default configurations as it is.Field Value Issuer urn:federation:MicrosoftOnline Assertion Consumer URLs https://login.microsoftonline.com/login.srf NameID format urn:oasis:names:tc :SAML:2.0:nameid-format:persistent Enable Response Signing Selected (True) Enable Signature Validation in Authentication Requests and Logout Request Unselected (False) Enable Attribute Profile Selected (True) Include Attributes in the Response Always Selected (True) -
Expand Claim Configuration and select Define Custom Claim Dialect.
-
Click Add Claim URI and add the following claims.
Service Provider Claim Local Claim Requested Claim IDPEmail http://wso2.org/claims/upn Selected (True) NameID http://wso2.org/claims/objectguid Selected (True) -
Set NameID as the Subject Claim URI and click Update to save changes.
Configure Azure AD to trust WSO2 IS¶
- Log in to a Windows machine and start Windows Azure Active Directory Powershell.
-
Run the following command. It prompts for the Azure AD admin credentials.
$cred=Get-Credential
-
Enter the credentials and click OK. Run the following command to connect to the service with the stored credentials.
Connect-MsolService –Credential $cred
-
Run the following command to verify the availability of the validated domain.
The ‘Status’ of the domain should be ‘Verified’, and ‘Authentication’ should be ‘Managed’.Get-MsolDomain
-
Configure the domain as a federated domain by providing the respective federation settings that match the WSO2 IS IdP. Store the federation settings in parameters.
-
Store your domain.
$dom = "wso2.cf"
-
Set the IdP Logon URL for the POST SAML Authentication Request. For this tutorial, you can use the SAML SSO endpoint URL of WSO2 IS.
$logonurl = "https://localhost:9443/samlsso"
-
Set the issuer ID of the IdP. This value should be the
Identity Provider Entity Id
that you configured in the SAML configuration of the Resident IdP of WSO2 IS.$issueruri = "wso2is.microsoft"
-
Set the IdP Logout URL for the POST SAML Logout Request. For this tutorial, you can use the SAML SSO endpoint URL of WSO2 IS.
$logouturl = "https://localhost:9443/samlsso"
-
Store the IdP certificate. Enter the Base64 encoded signing certificate of WSO2 IS.
For the default key store configured in WSO2 IS, the certificate is as given below.Tip
Note that the certificate value should be given in a single line without a break.
How to obtain the PEM encoded certificate
The PEM content of a certificate in a JKS file, can be obtained by following the steps below:
- Export the certificate from the keystone. The exported certificate will be in binary format.
keytool -export -keystore <keystore-path> -alias <alias-of-the-certificate> -file <path-of-the-expected-certificate-file> e.g. keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2carbon.crt
- Convert the above binary encoded certificate to a PEM encoded certificate.
openssl x509 -inform der -in <path-of-binary-certificate> -out <path-of-expected-pem-content> e.g. openssl x509 -inform der -in wso2carbon.crt -out wso2carbon.pem
- Open the obtained PEM encoded certificate using a text editor and copy the certificate content excluding the BEGIN CERTIFICATE and END CERTIFICATE placeholders.
$cert = "{certificate}"
The certificate for the default key store configured in WSO2 IS is given below.
Sample certificate
$cert = "MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDTALBgNVBAoTBFdTTzIxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xNzA3MTkwNjUyNTFaFw0yNzA3MTcwNjUyNTFaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzENMAsGA1UEChMEV1NPMjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAluZFdW1ynitztkWLC6xKegbRWxky+5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9+PmjdGtau4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0+s6kMl2EhB+rk7gXluEep7lIOenzfl2f6IoTKa2fVgVd3YKiSGsyL4tztS70vmmX121qm0sTJdKWP4HxXyqK9neolXI9fYyHOYILVNZ69z/73OOVhkh/mvTmWZLM7GM6sApmyLX6OXUp8z0pkY+vT/9+zRxxQs7GurC4/C1nK3rI/0ySUgGEafO1atNjYmlFN+M3tZX6nEcA6g94IavyQIDAQABoyEwHzAdBgNVHQ4EFgQUtS8kIYxQ8UVvVrZSdgyide9OHxUwDQYJKoZIhvcNAQELBQADggEBABfk5mqsVUrpFCYTZZhOxTRRpGXqoW1G05bOxHxs42Paxw8rAJ06Pty9jqM1CgRPpqvZa2lPQBQqZrHkdDE06q4NG0DqMH8NT+tNkXBe9YTre3EJCSfsvswtLVDZ7GDvTHKojJjQvdVCzRj6XH5Truwefb4BJz9APtnlyJIvjHk1hdozqyOniVZd0QOxLAbcdt946chNdQvCm6aUOputp8Xogr0KBnEy3U8es2cAfNZaEkPU8Va5bU6Xjny8zGQnXCXxPKp7sMpgO93nPBt/liX1qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8="
-
-
Run the following command to establish trust.
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $logonurl -SigningCertificate $cert -IssuerUri $issueruri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
-
Run the following command to verify the federation settings.
Get-MsolDomainFederationSettings -Domain $dom
You have now successfully set up trust between the on-premise identity provider of WSO2 IS and the Azure Active Directory.
Tip
If you wish to redo the configurations, do the following:
-
Run the following command to first move your domain back to the 'Managed' authentication mode.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
-
Re-set the parameters as listed in step 5 and then set the authentication method again as shown in step 6.
What's Next?¶
To see how this feature works, try out the Configuring On-Demand Provisioning with Azure AD tutorial to provision users directly to Azure AD at the point of authentication.
Top