This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring Office 365 WS-Federation with Identity Server
This section provides instructions on configuring the WSO2 Identity Server for WS-Federation with Office 365. The following sections guide you through this process.
Prerequisites
Configure Azure Active Directory (AD) to trust WSO2 Identity Server. For more information on how to do this, see Configuring Azure Active Directory toTrust WSO2 Identity Server .
Configure an Active Directory user store as the primary user store in WSO2 Identity Server. For more information on how to do this, see Configuring a Read-Write Active Directory User Store.
Configure WSO2 Identity Server to authenticate users using the email address as the username. For more information on how to do this, see Using Email Address as the Username.
Azure AD expects to receive the following attributes with a SAML 2.0 message.
Claim | Claim URI | Purpose |
|---|---|---|
UserPrincipal | This must be the email address of the Office365 user. Usually this is the userPrincipalName attribute in AD. Basically this is the login username that a user tries out to login for Office365. It should match with the domain name. (ex: wso2@wso2test.com). Since this attribute requires an email address as the username, make sure you have configured the IS to authenticate users using the email address. See Using Email Address as the Username for more information. | |
ImmutableID | http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID | This is the Immutable ID that is set by the Azure AD sync service out of the box. If you use a different value, then this claim must be populated with that value for each user. So in this case we will use the ObjectGUID attribute in AD which is unique per user |
Role | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | The URI for a claim that specifies the role of a Windows user |
Configuring Office 365 WS-Federation
Start the WSO2 Identity Server and log in to the management console
Click Resident under Identity Providers on the Main menu. Expand the Inbound Authentication Configuration section and then the WS-Federation(Passive) Configuration.
Replace the value of the Identity Provider Entity Id with the value given for the parameter $issueruri when configuring Azure AD (configured in step 3 of this topic) , and click Update to save changes.
Navigate to Claims>Add in the Main menu and click Add New Claim. Set 'User Principle' and 'ImmutableID' as claims as seen below. See Adding Claim Mapping for more information.
Navigate to Claims>List and click on the http://wso2.org/claims claim dialect. Click on Edit for each of the claims below and untick the Supported by Default checkbox.
Testing Office 365 WS-Federation with WSO2 IS
WS-Federation eliminates the need to send passwords between Active Directory and Office 365, but it still requires synchronizing the user accounts with Azure AD. You can do this manually or you can automate the process.
Manually - Add Office 365 users that match each Active Directory user account
Automate - Automate the process with the Microsoft Directory Synchronization Tool.
The following steps describe how to manually to synchronize a user with Azure AD.
Connect with Windows Azure AD Powershell module by executing the following commands.
This command prompts user credentials.
Run $cred=Get-CredentialThis command connects with the stored credentials. Provided that the credentials are accurate, the connection will be successful.
Connect-MsolService -Credential $credThis command verifies the availability of the validated domain. This will return the Status and Authentication. The ‘Status’ of our domain should be ‘Verified’, and ‘Authentication’ should be ‘Managed’.
Get-MsolDomain
Run the following command to create a new user.
New-MsolUser -UserPrincipalName wso2@wso2test.com -ImmutableID eDONEoBWe0SatxWqbZYobw== -LastName test -FirstName wso2 -DisplayName "WSO2 Test User"
You can now attempt to login to the Office365 Web Portal with this user you created. The user’s identity will be represented and authenticated by the on premises identity provider (i.e., the WSO2 Identity server).
Access the following URL on your browser: https://login.microsoftonline.com/
Enter the username along with the federated domain following this format: wso2@wso2test.com
You will be redirected to the login page of the WSO2 Identity Server’s authentication end point. Enter the correct user credentials and login.
You will be successfully logged on to the Office365 portal.