Office 365

Setting up MIRACL Trust SSO as an Identity Provider within Office 365

These instructions are up-to-date at the time of writing, but you should refer back to the ViewDS guidance on making Office 365 work with an external SAML IdP to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.

  1. Create an Office 365 for Business account. To do this:
  • Go to the Office 365 Select a plan page.
  • Choose Office 365 Business Premium (can be free trial).
  • Follow the steps in the setup wizard.
  1. Add your domain. To do this:
  • Log into Office 365 and go to the ‘Admin’ page.
  • Under ‘Setup’ tab, click on the Guided Setup button.
  • Follow the steps in the setup wizard to add domain.

When complete, ensure that the newly added domain is not set as the default domain, because default domains cannot be used for federated sign on.

  1. Add new users. To do this:
  • Under ‘Users > Active Users’, select the ‘+’ sign to add a new user.
  • Configure the new user with the newly added domain.

Note that, in Office365, federated users must have an ImmutableID set (this is an arbitrary value which could perhaps be a staff number, user ID or another unique number) . The MIRACL Trust SSO IdP server must pass an attribute which matches the ImmutableID which is stored for each user in Office365. Please see the note on user config at the end of this page for instructions on doing this.

  1. Install the Windows PowerShell module by downloading and running AdministrationConfig-V1.1.166.0-GA.msi available at the bottom of the following page: http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

  2. Configure MIRACL Trust SSO as an Identity provider for the Office 365 Account. To do this:

  • Open Windows PowerShell.
  • Import the MSOnline module with Import-Module MSOnline.
  • Connect to your main Office 365 profile with Connect-MsolService.
    A popup window is displayed requesting your Office 365 credentials. Enter these and click on the OK button.
  • Define the required variables as [name]=[value] pairs:
    • $domainName – your registered Office365 domain name (as set in the Offic365 Admin console), e.g. yourcompany.com
    • $issuerUri – https://[idp.yourcompany.com]/metadata - [idp.yourcompany.com] should be replaced by the public url which your IdP server is available on.
    • $logoffUrihttps://www.office.com/ (the standard Office365 logoff Uri)
    • $passiveLogonUri – your MIRACL Trust SSO endpoint, i.e. https://[idp.yourcompany.com]/sso
    • $cert – your MIRACL Trust SSO X.509 certificate (without the comment lines, i.e. without the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines). This can be output in the terminal in the correct format with a command such as echo $(cat idp.crt | tr -d '\n' | sed -E 's/-----[^-]+-----//g') You should have already generated this certificate and your private key with a command such as openssl req -x509 -nodes -newkey rsa:2048 -keyout idp.key -out idp.crt -days 1000 -subj /C=UK/ST=London/L=London/O=Development/CN=example.com
  • Run the following command:
Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName
$domainName -Authentication Federated -PassiveLogOnUri $passiveLogonUri -SigningCertificate
$cert -IssuerUri $issuerUri -LogOffUri $logoffUri -PreferredAuthenticationProtocol SAMLP

A full list of MSOnline commands can be retrieved with Get-Command –Module MSOnline.

If you need to change settings, first switch back to managed mode with `Set-MsolDomainAuthentication -DomainName $domainName -Authentication Managed`
  1. (Optional) Verify your settings are correct. To do this, run the following command:
Get-MsolDomainFederationSettings -DomainName $domainName

Configuring your Office 365 Service Provider profile with MIRACL Trust SSO

  1. Edit /etc/miracl-sso/service_providers/office365.yaml:
profile:
  nameid:
    office365: <NameID NameQualifier="{{.MetadataEntityID}}" SPNameQualifier="{{.SPEntityID}}" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">{{.SessionUserName | urlquery}}</NameID>
  attribute:
    office365: >-
    <AttributeStatement>
      <Attribute Name="IDPEmail">
        <AttributeValue>{{.SessionUserEmail}}</AttributeValue>
      </Attribute>
      <Attribute Name="ImmutableID">
        <AttributeValue>{{AttrVal "uid" 0 "" . Attributes}}</AttributeValue>
      </Attribute>
    </AttributeStatement>
sp:
  office365:
    description: Office 365 subscription plans to access Microsoft Office applications
      plus other productivity services
    relay_state: /
    login_url: https://login.microsoftonline.com
    logout_url: https://login.microsoftonline.com/logout.srf
    metadata: >-
      <!-- insert downloaded SP metatadata here -->
    sign_response: true
    sign_assertion: true
    encrypt_assertion: false
    authorize:
    - - ldap: ldap_profile
    profile:
      nameid: office365
      attribute: office365
  1. Note that sp name is used to create your IdP-initiated login url, i.e. https://<yourssoip>/login/office365

  2. login_url and logout_url are the standard SP URLs which Office 365 makes available for SAML IdPs to use.

  3. The standard Office 365 SP metadata can be obtained from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml (Note that this url may be subject to change. It is currently what the Microsoft documentation points to at https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx)

The downloaded metadata file must be converted to a single line with a command such as:

echo -e "\n"$(cat metadata.xml | tr -d '\n')"\n"

The contents will then be output in the terminal in a format that can be pasted into the metadata field.

If you are using JSON format for your config file, the " characters need to be escaped with \ to meet the json structure requirements. This can be achieved by running the following command on the downloaded metadata.xml file:

echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"

The contents will then be output in the terminal in a format that can be pasted into the JSON metadata field.

  1. In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:
  • Call up an LDAP setup from an ldap.yaml file stored in /etc/miracl-sso/integrations.
  • Configure a regex list of email addresses/domains.

Note that if this is not set correctly, you will receive ‘unauthorized user’ messages.

For more detailed info on using LDAP and regex to control authorized users, please see the LDAP and authorization menu section but please read on for instructions specific to Office365:

Note on user configuration

In Office365 federated users must have an ImmutableID set (this is an arbitrary value which could perhaps be a staff number, user ID or another unique number). The MIRACL Trust SSO IdP server must pass an attribute which matches the ImmutableID which is stored for each user in Office365.

Assuming that you have created a user attribute field for your LDAP users for this ImmutableID, this can be achieved by first of all specifying that the relevant ID attribute (uid in this example) is extracted from the LDAP query you will be using:

ldap:
  server:
    ldap_server:
      method: plain
      address: 52.xx.xx.xxx:389
      user: cn=admin,dc=ldap,dc=example,dc=com
      password: strong_password
  query:
    ldap_profile:
      server: ldap_server
      search:
      - dn: ou=dept1,dc=ldap,dc=example,dc=com
        filter: "(mail={{.UserID}})"
        attributes:
        - uid

     Then you can specify that this query is used in the office365 subsection of the sp section:

authorize:
- - ldap: ldap_profile

     It is then also necessary to add the ImmutableID attribute (which passes this extracted uid) to the office365 entry in the attribute subsection of the profile section of the config file:

profile:
  nameid:
    office365: <NameID NameQualifier="{{.MetadataEntityID}}" SPNameQualifier="{{.SPEntityID}}" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">{{.SessionUserName | urlquery}}</NameID>
  attribute:
    office365: >-
    <AttributeStatement>
      <Attribute Name="IDPEmail">
        <AttributeValue>{{.SessionUserEmail}}</AttributeValue>
      </Attribute>
      <Attribute Name="ImmutableID">
        <AttributeValue>{{AttrVal "uid" 0 "" . Attributes}}</AttributeValue>
      </Attribute>
    </AttributeStatement>

     You will notice that an Office 365-specific nameid setting (which extracts SAML attributes) has already been made for you, as well as another IDPEmail attribute which is expected by Office 365.

     The office365 attribute and nameid profiles are then invoked in the sp subsection:

profile:
  nameid: office365
  attribute: office365
  1. Once finished, save and close the file.

  2. In your /etc/miracl-sso/config.yaml file make sure you add office365.yaml to the list of ‘includes’:

includes:
  - core.yaml

# service providers
  - service_providers/office365.yaml
  1. As always after config changes, restart the server with sudo service miracl-sso restart

  2. Now your service is configured, you can visit https://<yourssoip>/login/office365 or https://<yourssoip>/services to login to the service using IdP-initiated login, or visit the Office 365 login page and SP-initiated login will be triggered automatically.

  3. You will be able to login using the in-browser PIN pad or with the MIRACL Trust app. When logging in to your SSO service for the first time you will be asked to register an email address so as to confirm your identity and register you as a user.