webnetwork Office 365 SSO integration v

Guide will cover:

• How to configure webNetwork SAML application

• How to prepare Office 365 for Single Sign-On

• How to configure Office 365 Single Sign-On

• How to turn off Single Sign-On

• How to create links to Office 365

How to configure webNetwork SAML application

Purpose:

• Create the Public application in webNetwork that will connect to Office 365 via SAML • Create the certificate to be shared with Office 365

Steps:

1. Right-click on Applications Admin and click Create Public Application 2. Enter Office365 and click Next

3. Verify created successfully and click Close

4. Click Authentication tab and choose Office 365 for type 5. Enter variable for Identity

6. Enter URL for Assertion Consumer

7. Click Wizard for PFX Certificate and choose RSA 2048 then click Generate button 8. Click Overwrite button

9. Click Wizard button for Certificate 10. Input values then click Generate button 11. Verify certificate was generated

12. Select all text and copy to Notepad, then save file as office365-cert.txt 13. Click Overwrite button

14. Click Assertion for SAML Signature Location 15. Add input Audience

16. Click Save button

17. Click Properties tab and add Context Path (Alias) 18. Add all webRelay objects to Assigned Relays

19. Click the Provisioning /Attributes tab and enable Provision

20. Add the remote attribute IDPEmail and local attribute then click OK 21. Add the remote attribute ImmutableID and local attribute then click OK

22. Add the remote attribute UserPrincipalName and local attribute then click OK

webNetwork Office 365 SSO

integration v10-30-2015

23. Click Save button

*** The Provisioning tab changes to Attributes in webNetwork 6.3.1 and higher.

*** This document has been modified to include the commands to allow Outlook and other "fat" clients to authenticate against webNetwork when Office 365 is federeated.

1. Right-click on Applications Admin and click Create Public Application

2. Enter Office365 and click Next

3. Verify created successfully and click Close

4. Click Authentication tab and choose Office 365 for type

5. Enter variable for Identity

• @@encodeUUID(attr:sware.guid)@@ requires webNetwork 6.2.1.191 or newer

6. Enter URL for Assertion Consumer

7. Click Wizard for PFX Certificate and choose RSA 2048 then click Generate

button

8. Click Overwrite button

9. Click Wizard button for Certificate

10. Input values then click Generate button

• Input your company values and NOT the ones provided below

11. Verify certificate was generated

12. Select all text and copy to Notepad, then save file as office365-cert.txt

13. Click Overwrite button

14. Click Assertion for SAML Signature Location

15. Add Audience

• urn:federation:MicrosoftOnline

16. Change Close Window for the SAML Logout Behavior

17. Click Save button

18. Click Properties tab and add Context Path (Alias)

19. Add all webRelay objects to Assigned Relays

• Below example only shows 1 webRelay, but if you have more webRelays you should add them now

20. Click the Provisioning tab and enable Provision

21. Add the remote attribute IDPEmail and local attribute then click OK

• Attribute should be users Office 365 email address

22. Add the remote attribute ImmutableID and local attribute then click OK

• Attribute must be base64 encoded GUID and match ImmutableID in Office 365

23. Add the remote attribute UserPrincipalName and local attribute then click OK

• Attribute must match Office 365 UserPrincipalName

24. Click Save button

How to prepare Office 365 for Single Sign-On

Purpose:

• Download tools necessary to connect to Azure cloud and turn on SSO

• Make sure you have two admin accounts in each domain, so you will not get locked out if SSO configuration fails for Office 365

Steps:

1. Download utilities

2. Create Office 365 domain

3. Create back-up administrator account

4. Login with back-up administrator account

1. Download utilities

• Download and installMicrosoft Services Sign-In Assistant

• Download and installAzure AD

• Any workstation

2. Create Office 365 domain

• IMPORTANT- must be different from @MYDOMAIN.onmicrosoft.com domain to turn on Single Sign-On

3. Create back-up administrator account

In the event that you federate your domain unsuccessfully and are disconnected from

Powershell session, you'll need an admin in the @MYDOMAIN.onmicrosoft.com domain to turn off federation.

Office 365 - Create a User Office 365 - Assign Admin Role

4. Login with back-up administrator account

Verify you can login with back-up administrator account on the @MYDOMAIN.onmicrosoft.com domain

How to configure Office 365 Single Sign-On

Purpose:

• Need to turn on federation using powershell Steps:

1. Run Windows Azure Active Directory Module for Windows PowerShell 2. Run Connect-MsolService and login with admin creds

3. Run command to verify ImmutableId is populated 4. Open Notepad and paste in the following script 5. Save file as turn-on.ps1

6. Run command .\turn-on.ps1

7. Test login

8. Login with AD creds

9. Verify login was successful 10. Turn off SSO

1. Run Windows Azure Active Directory Module for Windows PowerShell

2. Run Connect-MsolService and login with admin creds

3. Run command to verify ImmutableId is populated

• Get-MsolUser [email protected] | format-table -property ImmutableID

• Value will be base64 encoded and should be the same value as @@attr:objectGUID@@ • IMPORTANT- if users do not have ImmutableID defined, they will not be able to login with

SSO method

• If ImmutableId value is empty for user, then run command SetMsolUser [email protected] -ImmutableIDUSERVALUE

4. Open Notepad and paste in the following script (edit the parts in RED)

$BrandName = "Stoneware"

$url = "https://YOUR-WEBNETWORK-URL/swPublicSSO/SAML/Office365"

$logouturl = " https://YOUR-WEBNETWORK-URL/swPublicSSO/SAML/Logout/Office365" $uri = "https://YOUR-WEBNETWORK-URL/swPublicSSO/SAML/Office365"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Users\ Administrator\Desktop\O365\office365-cert.txt")

$certData = [system.convert]::tobase64string($cert.rawdata)

$MetadataExchangeUri = "https://YOUR-WEBNETWORK-URL/SWPublicSSO/SAMLMetadata/ Office365"

$Protocol = "SAMLP"

$activeUrl = "https://YOUR-WEBNETWORK-URL/swPublicSSO/SAML/ECP/Office365"

SetMsolDomainAuthentication DomainName $dom FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri LogOffUri $logouturl MetadataExchangeUri $MetadataExchangeUri

-PreferredAuthenticationProtocol $Protocol -ActiveLogOnUri $activeUrl

5. Save file as turn-on.ps1

6. Run command .\turn-on.ps1

• If you receive an error about running scripts, you may have to allow scripts to run with powershell

• http://technet.microsoft.com/en-us/library/cc764242.aspx

7. Test login

• https://login.microsoftonline.com/

• After typing in username and hitting tab, it should redirect to your webNetwork login page

8. Login with AD creds

9. Verify login was successful

How to turn off Single Sign-On

• Set-MsolDomainAuthentication -Authentication Managed -DomainName

YOURDOMAIN.com

How to create links to Office 365

Purpose:

• If user is already in webNetwork, you want a simple link to Office 365 application Steps:

1. Go to webAdmin tool

2. Expand Link Menu Admin folder 3. Expand desired location

4. Right-click and select Create Link

5. Type in Office365-link then click Next button

6. Verify the link was created successfully then click Close button 7. Enter description

8. Enter URL

9. Click the green + for Assigned To

10. Assign users/groups/OUs then click OK button 11. Click Save button

12. Logout 13. Login

14. Click Office 365 tile

1. Go to webAdmin tool

2. Expand Link Menu Admin folder

3. Expand desired location

4. Right-click and select Create Link

5. Type in Office365-link then click Next button

6. Verify the link was created successfully then click Close button

7. Enter description

8. Enter URL

• Office 365 Portal

https://login.microsoftonline.com/PostToIDP.srf?msg=AuthnReq&realm=YOURDOMAIN.com

&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline • Outlook

https://outlook.office365.com/owa/?realm=YOURDOMAIN.com&exsvurl=1&ll-cc=1033&modurl=0

9. Click the green + for Assigned To

10. Assign users/groups/OUs then click OK button

11. Click Save button

12. Logout

13. Login

14. Click Office 365 tile