

Configuring Office365 SAML2 with MWARE IAM for Multiple Domains¶

This tutorial guides you through configuring SAML2 authentication for Office365 with MWARE IAM in multiple domains. Follow the instructions in the sections below to set this up.

The flow¶

The diagram below demonstrates the flow of how Microsoft Office365 uses MWARE IAM as a SAML2 federated authenticator to authenticate a user.

Prerequisites¶

Office 365 Business Account with access to the Office 365 Admin Portal.

Tip

If you do not already have an account, you can use a 30-day trial version to try out this feature.
Add a new domain to Office 365 using the Office 365 Admin Portal. For instructions on how to do this, see Add A Domain to Office 365 in the Microsoft documentation.

Tip

Office 365 SSO requires an internet-resolvable domain name to use as the suffix in each user’s username. You cannot federate the default domain that is provided by Microsoft that ends with " onmicrosoft.com ".

You can register a free domain using a site such as www.dot.tk if you do not already have a registered domain name.
A Windows platform Windows Azure Active Directory Powershell installed. If you do not already have the Azure AD module, run the following commands to install the required modules.
```
#uninstall any existing older version of the AzureAD module
uninstall-module AzureAD


install-module AzureAD
install-module AzureADPreview
install-module MSOnline
```

Configuring the claims¶

Click Add under Claims and then click Add Local Claim.
Add the following local claims.

Field	Sample value
Dialect URI	http://wso2.org/claims
Claim URI	http://wso2.org/claims/upn
Display Name *	userPrincipalName
Description	userPrincipalName
Mapped Attribute (s)	User Store Domain Name: PRIMARY Mapped Attribute: userPrincipalName
Supported by Default	true

Field	Sample value
Dialect URI	http://wso2.org/claims
Claim URI	http://wso2.org/claims/objectguid
Display Name *	ObjectGuid
Description	ObjectGuid
Mapped Attribute (s)	User Store Domain Name: PRIMARY Mapped Attribute: objectGuid
Supported by Default	true

Remove unsupported claims

The following attributes are not supported by Active Directory by default. Disable the following claims in MWARE IAM to avoid errors when updating the user profile.

To disable the claims, do the following.

Click List under Claims and select the http://wso2.org/claims dialect.
Click Edit next to the following claims and unselect the Supported by Default checkbox to disable the claim.
- Country
- Organization
- IM

Configuring service providers¶

For each Office 365 domain follow these steps.

Click Add under Service Providers and create a new service provider.
Expand Claim Configuration and select Define Custom Claim Dialect.
Click Add Claim URI and add the following claims.

Service Provider Claim Local Claim Requested Claim

IDPEmail http://wso2.org/claims/upn Selected (True)

NameID http://wso2.org/claims/objectguid Selected (True)
Set NameID as the Subject Claim URI.

Expand Inbound Authentication Configuration and then expand SAML2 Web SSO Configuration.

The following table provides configuration for two Office 365 domains named abc.com , and xyz.com. You can configure more than two SPs based on your requirement.

Field	Value for domain - abc.com	Value for domain - xyz.com
Issuer	urn:federation:MicrosoftOnline	urn:federation:MicrosoftOnline
Service Provider Qualifier Note This value is needed to configure multiple SAML SSO inbound authentication configurations for the same `Issuer` value. When a `Service Provider Qualifier` is defined here, it is appended to the end of the `Issuer` value when registering the SAML SP in the Identity Server. For example, if you specify "travelocity.com" as the `Issuer` and "sp1" as the `Service Provider Qualifier` , the configuration will be registered in MWARE IAM with the value "travelocity.com:urn:sp:qualifier:sp1". You can configure any number of SAML SPs using the same `Issuer` but with different `Service Provider Qualifiers`.	abc.com	xyz.com
Assertion Consumer URLs	https://login.microsoftonline.com/login.srf	https://login.microsoftonline.com/login.srf
NameID format	urn:oasis:names:tc:SAML:2.0:nameid-format:persistent	urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Enable Response Signing	Ticked (True)	Ticked (True)
Enable Signature Validation in Authentication Requests and Logout Request	Un-Ticked (False)	Un-Ticked (False)
Enable Attribute Profile	Ticked (True)	Ticked (True)
Include Attributes in the Response Always	Ticked (True)	Ticked (True)
IdP Entity ID Alias Note This value overrides the `Identity Provider Entity ID` specified under the SAML SSO Inbound Authentication configuration in the Resident IdP. The `Identity Provider Entity ID` is used as the `issuer` of the SAML responses that are generated from MWARE IAM. By default, the issuer value of all SAML responses issued by MWARE IAM is the same as the `Identity Provider Entity ID` in the Resident IdP’s SAML SSO inbound authentication configuration. If you want that value to be unique for your SAML SP configuration, specify the unique value here so that the `IdP Entity ID` is overridden with this `IdP Entity ID Alias` value.	Any valid URL/URI unique for abc.com domain	Any valid URL/URI unique for xyz.com domain

Note that “ Service Provider Qualifier ” and “IdP Entity ID” values configured for each service provider are needed when configuring Azure AD.

Click Register to save changes.

Configure Azure AD to trust MWARE IAM¶

Log in to a Windows machine and start Windows Azure Active Directory Powershell.
Run the following command. It prompts for the Azure AD admin credentials.
```
$cred=Get-Credential
```
Enter the credentials and click OK. Run the following command to connect to the service with the stored credentials.
```
Connect-MsolService –Credential $cred
```
Run the following command to verify the availability of the validated domains.
The ‘Status’ of the domains should be ‘Verified’, and ‘Authentication’ should be ‘Managed’.
```
Get-MsolDomain
```
Configure each domain as a federated domain by providing the respective federation settings that match the MWARE IAM IdP. Store the federation settings in parameters.
1. Store your domain.
```
$dom = "abc.com"
```
2. Set the IdP Logon URL for the POST SAML Authentication Request. For this tutorial, you can use the SAML SSO endpoint URL of WSO2 IS with Service Provider Qualifier name appended as a query parameter. Note that the Service Provider Qualifier name should be the value you have provided when creating SAML inbound authentication configuration for the particular service provider.
  
  Logon URL format
```
$logonurl = "https://{Hostname}:{Port}/samlsso?spQualifier={Service Provider Qualifier}"
```
  Sample Logon URL
```
$logonurl = "https://localhost:9443/samlsso?spQualifier=abc.com"
```
3. Set the issuer ID of the IdP. This value should be the IdP Entity ID Alias that you configured in the SAML inbound authentication configuration of the relevant service provider.
```
$issueruri = "wso2is.abc.com"
```
4. Set the IdP Logout URL for the POST SAML Logout Request. For this tutorial, you can use the SAML SSO endpoint URL of MWARE IAM with Service Provider Qualifier name appended as a query parameter. Note that the Service Provider Qualifier name should be the value you have provided when creating SAML inbound authentication configuration for the particular service provider.
  
  Logout URL format
```
$logouturl = "https://{Hostname}:{Port}/samlsso?spQualifier={Service Provider Qualifier}"
```
  Sample Logout URL
```
$logouturl = "https://localhost:9443/samlsso?spQualifier=abc.com"
```
5. Store the IdP certificate. Enter the Base64 encoded signing certificate of MWARE IAM.
  
  Tip
  
  Note that the certificate value should be given in a single line without a break.
  How to obtain the PEM encoded certificate
  The PEM content of a certificate in a JKS file, can be obtained by following the steps below:
  
  1. Export the certificate from the keystone. The exported certificate will be in binary format.
```
keytool -export -keystore <keystore-path> -alias <alias-of-the-certificate> -file <path-of-the-expected-certificate-file>

e.g. keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2carbon.crt
```
  2. Convert the above binary encoded certificate to a PEM encoded certificate.
```
openssl x509 -inform der -in <path-of-binary-certificate> -out <path-of-expected-pem-content>

e.g. openssl x509 -inform der -in wso2carbon.crt -out wso2carbon.pem
```
  3. Open the obtained PEM encoded certificate using a text editor and copy the certificate content excluding the BEGIN CERTIFICATE and END CERTIFICATE placeholders.
```
$cert = "{certificate}"
```
  The certificate for the default key store configured in MWARE IAM is given below.
  
  Sample certificate
```
$cert = "MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDTALBgNVBAoTBFdTTzIxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xNzA3MTkwNjUyNTFaFw0yNzA3MTcwNjUyNTFaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzENMAsGA1UEChMEV1NPMjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAluZFdW1ynitztkWLC6xKegbRWxky+5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9+PmjdGtau4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0+s6kMl2EhB+rk7gXluEep7lIOenzfl2f6IoTKa2fVgVd3YKiSGsyL4tztS70vmmX121qm0sTJdKWP4HxXyqK9neolXI9fYyHOYILVNZ69z/73OOVhkh/mvTmWZLM7GM6sApmyLX6OXUp8z0pkY+vT/9+zRxxQs7GurC4/C1nK3rI/0ySUgGEafO1atNjYmlFN+M3tZX6nEcA6g94IavyQIDAQABoyEwHzAdBgNVHQ4EFgQUtS8kIYxQ8UVvVrZSdgyide9OHxUwDQYJKoZIhvcNAQELBQADggEBABfk5mqsVUrpFCYTZZhOxTRRpGXqoW1G05bOxHxs42Paxw8rAJ06Pty9jqM1CgRPpqvZa2lPQBQqZrHkdDE06q4NG0DqMH8NT+tNkXBe9YTre3EJCSfsvswtLVDZ7GDvTHKojJjQvdVCzRj6XH5Truwefb4BJz9APtnlyJIvjHk1hdozqyOniVZd0QOxLAbcdt946chNdQvCm6aUOputp8Xogr0KBnEy3U8es2cAfNZaEkPU8Va5bU6Xjny8zGQnXCXxPKp7sMpgO93nPBt/liX1qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8="
```

Run the following command to establish trust.

Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $logonurl -SigningCertificate $cert -IssuerUri $issueruri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP

Run the following command to verify the federation settings for each domain.
```
Get-MsolDomainFederationSettings -Domain $dom
```

You have now successfully set up trust between the on-premise identity provider of MWARE IAM and the Azure Active Directory.

Tip

If you wish to redo the configurations, do the following:

Run the following command to first move your domain back to the 'Managed' authentication mode.
```
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed
```
Re-set the parameters as listed in step 5 and then set the authentication method again as shown in step 6.

Top

Service Provider Claim	Local Claim	Requested Claim
IDPEmail	http://wso2.org/claims/upn	Selected (True)
NameID	http://wso2.org/claims/objectguid	Selected (True)