+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Cloud Services Thread, We are migrating from Live@edu to Office 365 and I need to SSO it like it is for LIVE in Technical; Currently we are authenticating int Live@edu by using just a userid. The user logs into our portal with their username ...
  1. #1

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    We are migrating from Live@edu to Office 365 and I need to SSO it like it is for LIVE

    Currently we are authenticating int Live@edu by using just a userid. The user logs into our portal with their username and password and when they click on the email link they are automatically logged in. We have security setup so that the link can not be used on other pc's etc.


    I want to authenticate to office 365 from my web page.

    I currently have Federated the userid's from our active directory over to o365. What I need to do is allow a user to login from our webpage, display a link to o365 so they can click on it to see their email.


    I am wondering if in order to login multiple ways to o365 can I setup a custom STS or something else to create the information so I can send to o365 to SSO into it.


    I will not be authenticated to ADFS 2.0 unless I can create it by just the userid.

    What are my options to SSO the user into o365?

    Thanks in advance


  2. #2

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Hi,

    I hope I am understanding you correctly here, had a few beers! :-) in regards to the URL that you want to be using to place on your website you would need to use http://mail.office365.com or http://outlook.com/federateddomain.com

    In regards to SSO if you are currently using ILM & PCNS you'll need to make plans to upgrade to DirSync. If you're using the SSO toolkit you'll need to make sure you're running the 4.5 update, and prepare longer term for ADFS / Shibboleth. More information about this can be found in the following Whitepapers

    Download Office 365 Single Sign-On with AD FS 2.0 whitepaper from Official Microsoft Download Center

    Download Office 365 Single Sign-On with Shibboleth 2 whitepaper from Official Microsoft Download Center

    You are only able to provide SSO Services to Office 365 using ADFS or Shibboleth.

    I hope that helps,

    Regards,
    James.

  3. Thanks to EduTech from:

    speckytecky (19th May 2013)

  4. #3

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the reply!

    I have been told that we are using DirSync. I am currently not using the SSO toolkit and I assume we are running the 4.5 update.

    The webpage that I have is only authenticated on one of the Apache servers and the user clicks on a link that contains an encrypted userid/etc.

    Since the user is not really authenticated with a user name and password I am not sure how to implement. I have done something similar with other SSO implementations (SAML) but since I have never worked with o365 I am out of my realm.

    I hope that this explains it a little more.

  5. #4

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Only ADFS or Shibboleth, nothing else is supported I'm afraid.
    SAML is what ADFD 2.0 is based on for O365. It can be fairly simple, you just need to make sure you follow the whitepaper above.

    Do you have any specific questions?
    Last edited by sukh; 18th May 2013 at 02:36 PM.

  6. #5

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have read and re-read the white paper but I am still confused about the SSO portion of it.

    I am looking how to authenticate a user by basically their userid. I have in the past with other SSO/SAML implementations done this by passing the userid and signing the data.

    I see that the in the Supported SAML that it does support X.509 Certificate. I am hoping that I can authenticate with out the userid and password and use a Certificate.

    Supported SAML Authentication Context Classes

    Authentication Method Authentication Context Class URI
    User Name and Password urnasis:names:tc:SAML:2.0:ac:classes:Password
    Password Protected Transport urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport
    Transport Layer Security (TLS) Client urnasis:names:tc:SAML:2.0:ac:classes:TLSClient
    X.509 Certificate urnasis:names:tc:SAML:2.0:ac:classes:X509
    Integrated Windows Authentication urn:federation:authentication:windows
    Kerberos urnasis:names:tc:SAML:2.0:ac:classes:Kerberos

  7. #6

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    It does but O365 uses User ID and password (UPN) with an option for 2FA.

    I'm not sure why you don't want to use ADFS and allow users to connect natively using the URL for Web services.

  8. #7

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    So when you said that "It does..." did you mean that I can authenticate without the password and just username and a X.509 cert? I have read the documentation but I have not seen how do do this.

    I would allow them to login with a username and password but the system is a closed system that they have already authenticated to and I only have a userid. In other SSO implementations I have just used a userid and x.509 cert but this is the first time I have tried to do it with ADFS so I am a little confused.

    I really appreciate the help.

  9. #8

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    no I mean does authenticate with username and password using exit credentials. Not sure how you are trying to do this but what type of a directory do you have? AD DS?

    Why don't you want the use to access OWA using the name space?

  10. #9

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    We are using Active Directory. I am not sure what you mean by access OWA using the name space. The users need/want to access their email by clicking on a link without entering in their username and password again. The users authenticated to Active Directory but I only have access to the userid of and not the password and they are not authenticated to the network. The system that collected the password is not passing the password to me and I can not get it. All I can get is an encrypted Active Directory userid.

    I have created other SAML and SSO applications where as a programmer I have been able to connect to the outside source as what ever user I want because there was a trust built in with the Certificate used for all users to encrypt the SAML token. Only through my program I could, users could not get around it. I built the SAML 1.1, 2.0 and passed it to the other system.

    I hope that this clarifies why and what I want to do.

  11. #10

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Ok, so you are saying that the users authenticate against Active Directory but are you saying that the machines are maybe not domain joined and so therefore when they click on a link you want them to be able to not have to enter the username and password... if the users are domain joined then this is going to be a bit complicated. BUT if the domains are members of the domain and the users logs in then in order to get what you want you need to deploy ADFS.

    You don't need to have to see the Password because ADFS would pass through this information hence SSO and it would also use the users UPN.

    That's if I am understanding you correctly, there is no supported way to do what you want unless you have AD FS to pass through the information to Office 365 automatically.

    Regards,
    James.

  12. #11

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    I agree with James here. What needs to be clarified is the link that users click on. Is this on a system/webpage internally connected to AD? And the users are they using domain joined pc or not? If not they will be prompted.
    As for using certs, that's not supported with O365. So in short domain joined pc which users use to connect to owa will honour SSO, even if not connected to network (cached credentials). Hope that makes sense.

  13. #12

    Join Date
    May 2013
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have been told that now I can get the username and password. I still do not see how I can seemlessly authenticate to office 365. I thought that SharePointOnlineCredentials might allow me but I can authenticate but I would need a little more than that to sign the person into the site. Any suggestions?

  14. #13

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    If you want to seamlessly authenticate to Office 365 then you will need to implement an Active Directory Federation Services Solution, This with Domain Joined Computers will provide a seamless authentication experience.

    Regards,
    James.

  15. #14

    Join Date
    Dec 2012
    Posts
    44
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    4
    Quote Originally Posted by EduTech View Post
    If you want to seamlessly authenticate to Office 365 then you will need to implement an Active Directory Federation Services Solution, This with Domain Joined Computers will provide a seamless authentication experience.

    Regards,
    James.
    Plus 1 here for ADFS

  16. #15

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Pretty much said above. Hqve you deployed ADFS ?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Upgrading from Live@edu to Office 365?
    By zag in forum Cloud Services
    Replies: 65
    Last Post: 13th June 2013, 08:43 PM
  2. Migrating Live@EDU to Office 365
    By mbedford in forum Cloud Services
    Replies: 4
    Last Post: 22nd April 2013, 06:53 PM
  3. Upgrading Live@edu to Office 365 - Paid service?
    By reggiep in forum General Chat
    Replies: 2
    Last Post: 14th November 2012, 11:03 PM
  4. Migrate from RM Esaymail to Office 365
    By techie08 in forum Cloud Services
    Replies: 5
    Last Post: 11th October 2012, 01:57 PM
  5. Migrating staff email to office 365
    By tj2419 in forum Cloud Services
    Replies: 16
    Last Post: 6th October 2012, 03:25 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •