Office 365 Single Sign-On (SAML SSO)

Office 365 Single Sign-On (SSO) integration lets you to configure client application that uses Identity Provider (IDP), Directory - Okta, Ping, Azure Active Directory, ADFS for SSO authentication. With SSO being enabled users can use the same Office 365 username and password (credentials) to access multiple apps as they don’t need to remember different passwords for multiple apps.

Seamless Office 365 SSO configuration by miniOrange

Office 365 SAML Single Sign-On (SSO) solution by miniOrange provides secure Single Sign-On access into Office 365 using a single set of login credentials. This allows organizations to secure access to their Office 365 team and easily manage user access, while also providing a seamless login experience for users.

With miniOrange Office 365 SSO, you can:

Enable your users to automatically login to Office 365
Have centralized and easy access control of the users
Connect easily with any external identity source like Azure AD, ADFS, Cognito, etc

Along with SSO, Users requirement around advanced security for Office 365 helped us to introduce enhanced Office 365 Two-Factor Authentication solution. Office 365 2FA security makes it easier for users and organizations to safeguard and prevent themselves from security breaches.

Get Free Installation Help

miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Office 365 SSO solution in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.

Supported SSO Features

miniOrange Office 365 SAML integration supports the following features:

SP Initiated SSO Login: Users can access their Office 365 account via a URL or bookmark. They will automatically be redirected to the miniOrange portal for login. Once they've signed on, they'll be automatically redirected and logged into Office 365.
IdP Initiated SSO Login: Users need to login to the miniOrange first , and then click on the Office 365 icon on the applications dashboard to access Office 365.(If you have set up any more Identity Sources, you will log in to that platform).

Connect with External Source of Users

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.

Video Setup Guide

Prerequisites

1. Sync On-Premise Active Directory with Microsoft Entra ID

NOTE: If you want to use your On-Premise Active Directory as a user store to Single Sign-On into Office 365 then follow the below steps to sync your AD and Microsoft Entra ID.

Download the Microsoft Entra ID Connect
Run the Microsoft Entra ID installer on your domain machine and follow the setup.

2. Verify your UPN Domain in Azure Portal

In the Azure portal navigate to Microsoft Entra ID >> Custom domain names and click on Add custom domain.
Enter the full domain name in the right pane that pops up and click on Add domain.

Office 365 Single Sign-On (SSO) Add custom domain

A new window will open up with TXT/MX records for the domain. You will have to add the resented entry in your domain name registrar.

Office 365 Single Sign-On (SSO) Add domain record

Click on verify once you have added the entry

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.

Follow the step-by-step guide given below for Office 365 Single Sign-On (SSO)

1. Configure Office 365 in miniOrange

Login into miniOrange Admin Console.
Go to Apps and click on Add Application button.

In Choose Application Type click on Create App button in SAML/WS-FED application type.

Office 365 Single Sign-On (SSO) choose app type

In the next step, search for Office 365. Click on Office 365 app.

Office 365 Single Sign-On (SSO) add Office 365 app

Make sure the SP Entity ID or Issuer is: urn:federation:MicrosoftOnline
Make sure the ACS URL is: https://login.microsoftonline.com/login.srf
Click on Next.

Office 365 Single Sign-On (sso) configuration steps

Configure Name ID based on the User Store you are using:
- Using Active Directory / miniOrange brokering service: Select External IDP Attribute from the dropdown and add objectguid in the text-box that appears.
- Using miniOrange as a User Store: Select Custom Profile Attribute and select a Custom Attribute from the drop-down.
Set the login policy. You can choose to enable 2FA for login or have users login using a standard username-password.
Click on Save to configure Office 365.

2. Configure Microsoft Graph Services

Click on the icon ' ' and choose Metadata.

Office 365 Single Sign-On (SSO) Select Metadata

Click on the Download Federate Domain Script button under "INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS"

Office 365 Single Sign-On (SSO) Download federate domain script button.

Enter the domain name that you want to federate and click on Download. Note: You cannot federate your default "onmicrosoft.com" domain. To federate your Office 365 tenant, you must add a custom domain to Office 365.

Office 365 Single Sign-On (SSO) Download Federate Domain Script

After downloading the script, Open PowerShell run the federate_domain script using:
cd ./Downloads powershell -ExecutionPolicy ByPass -File federate_domain.ps1

Office 365 Single Sign-On (SSO) Run Federate Domain Script

Your domain is now federated. Use the commands below to check your federation settings:
Get-MgDomain -DomainId "<domain>" | Select-Object Id, AuthenticationType

Office 365 Single Sign-On (SSO) Verify Federated Domain

4. Now sign in to your Microsoft Office 365 account with miniOrange IdP by either of the two steps:

1. Using SP initiated login :-

Go to Office 365 Login and click on sign-in
You will be redirected to Microsoft Graph portal. Here you have to enter the UPN of the user.(It should contain the domain that is federated with miniOrange)
Now you will be redirected to miniOrange IdP Sign On Page.

O365 SSO: Enter Microsoft UPN for Single Sign-on SSO integration with Office 365

Enter your login credential and click on Login. You will be automatically logged in to your Office 365 account.

O365 SSO: Entering Office 365 Credentials you have successfully loginto Office 365 using Single Sign-On SSO integration

2. Using IdP initiated login :-

Login to your miniOrange Self Service Console as an End User and click on the Office 365 icon on your Dashboard.
Once you click on Office 365 you don't need to enter credentials again you will be redirected to Office 365 account.

O365 SSO: Select office 365 to Single Sign-On into Office 365

Troubleshooting

How to identify errors in SAML assertions sent by your IDP?

Use the SAML Assertion Validator to troubleshoot single sign-on (SSO) login problems and identify errors in SAML assertions sent by your identity provider. Click on this link know more about the error identification in SAML Assertions.

How can I trace and export the SAML tracer logs?

Install SAML Tracer on your preferred browser:

For Firefox: Add SAML tracer Add-On from the Firefox marketplace.

For Chrome / Edge or Chromium-based browsers: Install the SAML tracer extension from Chrome Webstore.
Steps to Capture logs:
- Make sure the SAML Tracer window is opened before you start the SSO flow. (You can open it by clicking the SAML Tracer icon in your extensions list in the browser toolbar.)
- Run the SSO flow to reproduce the issue. You will see SAML Tracer getting populated with all the URLs.
- Hit Pause on SAML Tracer, once the issue is reproduced to avoid extra logs.
- You will have something similar to the below pic in the SAML tracer.
Steps to export logs:
- To export logs, click the export option on the top of the SAML Tracer. (Refer to screenshot below).
- You will be prompted with the Export SAML trace preferences window, select the None field, and then click on the Export option. (This option will allow keeping values in the original state which is required to further investigate the issue.)
- Click Export. This will download a JSON file on your system.
- Send the log file to the developer you are in touch with or at idpsupport@xecurify.com. Also, please attach an error screenshot. This would help us debug the issue.
- If you are still not able to get the logs, feel free to let us know.

How to remove miniOrange SSO/2FA from Office 365?

Open PowerShell as admin.
Run the command Connect-MsolService.
Enter your Microsoft Credentials. [Use Microsoft global admin who has Microsoft in his domain]
Run the below command:

Set-MsolDomainAuthentication -Authentication Managed -DomainName <domainName> -PreferredAuthenticationProtocol SAMLP

Contents

Office 365 Single Sign-On (SAML SSO)

Seamless Office 365 SSO configuration by miniOrange

Get Free Installation Help

Supported SSO Features

Connect with External Source of Users

Video Setup Guide

Prerequisites

Follow the step-by-step guide given below for Office 365 Single Sign-On (SSO)

1. Configure Office 365 in miniOrange

2. Configure Microsoft Graph Services

4. Now sign in to your Microsoft Office 365 account with miniOrange IdP by either of the two steps:

Troubleshooting

How to identify errors in SAML assertions sent by your IDP?

How can I trace and export the SAML tracer logs?

How to remove miniOrange SSO/2FA from Office 365?

External References

Want To Schedule A Demo?

Single Sign-On

Multi-factor Authentication

Adaptive Authentication

Lifecycle Management

STAY CONNECTED