Skip to content

Log in to Microsoft 365 using WSO2 Identity Server

This page guides you through integrating WSO2 Identity Server for Single Sign-On (SSO) with Microsoft 365.

Before you begin

  • You need an Office 365 Business account with admin access and a domain added as per the Microsoft documentation.
  • Additionally, ensure a Windows instance with PowerShell is installed.

Create the Microsoft 365 application

Follow the steps given below to register the Microsoft 365 application in WSO2 Identity Server.

  1. On the WSO2 Identity Server Console, go to Applications.

  2. Click New Application and under SSO Integrations, select Microsoft 365.

    Select app type in the WSO2 Identity Server

  3. Provide a name for the application.

    Select google workspace app in the WSO2 Identity Server

  4. Click Create to complete the registration.

Configure Microsoft 365

Follow the steps below to configure Microsoft 365.

Install modules

In your Windows system, start Powershell and install the required modules.

#uninstall any existing older version of the AzureAD module
uninstall-module AzureAD


install-module AzureAD
install-module AzureADPreview
install-module MSOnline

Configure Azure AD to trust WSO2 Identity Server

The following steps configure the trust settings for Active Directory.

  1. On the Windows Azure Active Directory Powershell, run the following command which prompts for the Azure AD admin credentials. Enter the credentials and click OK.

    $cred=Get-Credential

  2. Run the following command to connect to the service with the stored credentials.

    Connect-MsolService Credential $cred

  3. Run the following command to verify the availability of the validated domain.

    Note

    The Status of the domain should be Verified, and Authentication should be Managed.

  4. Configure the domain as a federated domain by providing the respective federation settings that match the WSO2 Identity Server IdP. Store the federation settings as parameters.

  5. Run the following command to store your domain.

    $dom = "wso2.cf"

  6. Set the IdP logon URL for the POST SAML authentication request. For this tutorial, you can use the SAML SSO endpoint URL of WSO2 Identity Server.

    $logonurl = "https://localhost:9443/samlsso"

  7. Set the issuer ID of the IdP.

    $issueruri = "localhost"

  8. Set the IdP logout URL for the POST SAML Logout Request. For this tutorial, you can use the SAML SSO endpoint URL of WSO2 IS.

    $logonurl = "https://localhost:9443/samlsso"

  9. Store the IdP certificate. You can get the certificate value from the Guide of the created Microsoft 365 application.

    $cert = "MIIDCDCCAfCgAwIBAgIEtUo9DDANBgkqhkiG9w0BAQsFADBGMQ0wCwYDVQQGEwROb25lMRQwEgYDVQQKEwtOb25lIEw9Tm9uZTENMAsGA1UECxMETm9uZTEQMA4GA1UEAxMHYWxmaGVpbTAeFw0yNDAyMTgwODM0MzNaFw0zNDAzMTcwODM0MzNaMEYxDTALBgNVBAYTBE5vbmUxFDASBgNVBAoTC05vbmUgTD1Ob25lMQ0wCwYDVQQLEwROb25lMRAwDgYDVQQDEwdhbGZoZWltMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk3tgNcSqohc3Qt1AOYXXUklP1jIgxUBfjV7gWo5NXO9dBjI3ljbATeSP+1QKT9KfOYmz8IcJH00t8dlXeRMeLKywbp3Q2nFLGljL/iBdfzeU8TgyT68M6Evg21STAFx1uQmNwrXpnaB06UcTx2P/Fh5hiMewYpLf907VgQPPTFyMdh+3SanJ1jOX9GtyvUvYWcd2VUh0qeAXw4cei04VzsREhW6Dyx9UxybeqqT54dGOz+QGhkMyY56rwhZdVEHZH1ootdth09aCp66vNaYqIFwBXquyvRuHrG+WvX7oLcxOIwPutajvCXbdO9SepmFZJ5dFteC+Zbi5qYqOMjNPwwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAd/3JJecUOXYbVezUbpq1ICUqZrkDznGBcvjjeUq7NMYtbogC0JlOh+mVRPCn9ypicsF1R5OUfxRG6Bsu3AeyfelEHF870NAS1e5+zprBpWdlHdgznifVs02+1/JBDLWn9uFr35MyC4AE82yOdV5SQ9Xzn3igaXb+4/UtzHKknenHqhdXJ4LfTMVKSDwT8Uxte/XD0NpUZ7YjeOiBcALow7Nbt1JdFqnQ90j79gpJXA3Cz0ar0P58KwPDMurTwAiGaAetYY38XOYNtsyzK9LxLKPH7RX3FOLYYjF4PAZWEGUu7Wxk5t0462Srlru3fMWUksPO6pMEAIm88j7C1LCNc"

  10. Run the following command to establish trust.

    Set-MsolDomainAuthentication DomainName $dom -Authentication Federated -PassiveLogOnUri $logonurl -SigningCertificate $cert -IssuerUri $issueruri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP

  11. Run the following command to verify the federation settings.

    Get-MsolDomainFederationSettings -Domain $dom

You have now successfully set up trust between WSO2 Identity Server and the Azure Active Directory. If you wish to redo the configurations, run the following command to move your domain back to the Managed authentication mode:

Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed

Try it out

Now that you have integrated WSO2 Identity Server with Microsoft 365, follow the steps below to test it.

  1. Create a user in WSO2 Identity Server.

  2. Add the same user to Microsoft using the following command. Here, the ImmutableID should be the UUID of the user.

    New-MsolUser -UserPrincipalName yourdomain.com -ImmutableID userID -LastName lastNameOfUser -FirstName firstNameOfUser -DisplayName "WSO2 Test User"