This site requires JavaScript to be enabled
External Customer KB > General > Configure Office 365 V2 SSO with OneLogin
Configure Office 365 V2 SSO with OneLogin
Article: KB0010030 Published: 10/16/2023 Last modified: 10/16/2023

This topic describes how to configure OneLogin as the federation service that provides SSO for Office 365.

Configuring OneLogin's Office 365 V2 App Connector

Prerequisites

  • A OneLogin subscription that includes Single Sign-on.
  • An Office 365 implementation not using ADFS or another identity provider for federation. See Disabling ADFS Federation to Enable OneLogin SSO With Office 365 if you are trying to switch from ADFS to OneLogin.
  • You are using Office 365 Connector V2. If you added Office 365 before February 1, 2018, you need to upgrade to V2.
  • Your organization's domain is registered with your Office 365 account. Your OneLogin domain (typically your organization's domain, such as acme.com) must match the domain you use for Office 365, and all users must share the same Office 365 and OneLogin email addresses, using this domain. For more information about registering your domain in Office 365, read Microsoft's guide to adding your domain.
    • Note: Microsoft does not allow you to federate an onmicrosoft.com domain (such as acme.onmicrosoft.com)
  • The domain you want to federate is not your primary domain (set to Default) in Office 365. You can't federate your primary domain; you must switch the Office 365 default domain to another domain, such as onmicrosoft.com. For more information about switching the default domain in Office 365, see here.

    o365 Outlook Domains

  • You have a global administrator account that lies outside of a federated domain. We recommend that you use an onMicrosoft account, e.g. admin@acme.onmicrosoft.com.
  • You have Azure AD Connect or OneLogin provisioning enabled.
    • You must have either DirSync (now Azure AD Connect) or OneLogin provisioning enabled for Office 365 federation (SSO) to work. If you are not using Azure AD Connect, or if you want to switch from Azure AD Connect to the OneLogin provisioning engine, follow the instructions at the above link. For a comparison of the benefits of Azure AD Connect and OneLogin Provisioning, see Introduction to Office 365 Integration with OneLogin.
  • If you intend to configure both SAML and provisioning for Office 365, you must enable provisioning first before completing your SAML configuration.

 


 

Configuration

Enable WS-Trust

The best security practice is to disable WS-Trust, but your org may use apps that require WS-Trust. If your end users connect to Office 365 V2 with applications that require WS-Trust to authenticate, then you must enable WS-Trust. It's important to audit the applications that connect to Office 365 to verify if they rely on WS-Trust.

  • Apps that require WS-Trust:
  • Any Office Application BEFORE Office 2013
  • Office 2011 and below for Macs
  • Apps that support modern authentication libraries:
  • The native Mail app on iOS 11.x+
  • Outlook on iOS version 10.x and greater
  • Outlook on Android

Enable user search using UPN (Ws-Trust)

When enabled, users will be searched by the User Principal Name (UPN) set at the app level if the user cannot be searched by the email set at the user level

API Connection

Enter the domain (yourdomain.com) you want to federate with Office 365 and click Verify. All users must share the same Office 365 and OneLogin email addresses, using this domain.

Office 365 V2(Azure Graph) OAuth

Click Authenticate to get the API access token.

If you haven’t previously authorized, you will receive a consent request that enables OneLogin to access the Windows Azure Active Directory for Office 365.

Office 365 V2(Microsoft Graph) OAuth

Click Authenticate to get the API access token.

A dialog will prompt you to complete the authentication process by authorizing access for OneLogin. Select your Office account name and choose your account (or sign in if prompted). Once you authenticate, the Authenticate button becomes Clear Token, which allows you to clear the bearer token and reauthenticate.

 


 

Parameters

Required Parameters

Field Value Type
ImmutableID

Set to AD ID. If OneLogin is not integrated with Active Directory (AD), and there is no ImmutableID to provision from AD to Office 365, OneLogin generates a unique AD ID value to map to the Office 365 ImmutableID.

The ImmutableID parameter is provisioned bi-directionally. If a OneLogin user is provisioned into Office 365, and that user exists with an assigned Immutable ID, OneLogin will copy that value back into the ImmutableID parameter. If the value in Office 365 differs from the value in OneLogin, we copy the value from Office 365 into OneLogin ImmutableID parameter. For this reason, we recommend you create a custom parameter to safely store Immutable IDs.
The correct ImmutableID is required for SSO to function. SSO will fail if the wrong ImmutableID is stored in OneLogin.
Important! ImmutableID is immutable! You can't change it once it's set.
string
Sharepoint Online Persistent Sessions Enable (set macro to True to allow single sign-on sessions to persist for 5 days. string
UsageLocation A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: "US", "JP", and "GB". string
User Principal Name Email string

Optional Parameters

Field Value Type
Display Name Can be set to AD ID, AD user name, or company. AD ID maps to the mS-DS-ConsistencyGUID field in AD, while AD user name maps to sAMAccountName field. string

All other attributes are used only when provisioning users to Office 365.

 


 

Configuring WS-Federation

Automatically

You can tell OneLogin to exchange certificates with Office 365 and configure WS-Federation automatically.

If you are federating multiple domains with Office 365, it is best practice to use a separate X.509 certificate for each domain. You must create any new certificates before you configure your Office 365 connectors. Go to Settings > SAML and click New to create new certificates. Before you perform the following steps, go to the Manual Configuration sub-tab, click the Change link and select a new certificate from the drop-down. Return to the Automatic Configuration sub-tab to initiate automatic federation configuration.
  1. Turn on the Enable automatic SAML configuration toggle to open the One Click dialog.
  2. Follow the prompts to complete the WS-Federation configuration.
    • If WS-Federation configuration fails, the dialog will tell you. If retrying fails, make any modifications suggested by the error message or check your settings on the Configuration, Access, and Parameters tabs and try again. If automatic configuration continues to fail, you can try manual configuration.
    • If WS-Federation configuration succeeds, the dialog tells you it’s done and prompts you to verify the configuration.

Note: the default wizard requires you to press Verify to launch a new tab, but for 30 minutes you may receive an error screen from Microsoft (see image). Ignore it and close the tab.

Microsoft Sign in issue

  1. If you have not already assigned yourself access to this app, the Done page will display Next; select Next to display a verification page.
  2. Open a new browser window or tab. Assign this app to a OneLogin user with an Office 365 account, then log in to OneLogin as the user and try to launch Office 365 from App Home. If the app launches successfully, return to the One Click dialog and click Yes. I'm Done. Wait 30 minutes as Microsoft proagates your admin setup commands across all its servers and then open a new browser window or tab.
  3. OneLogin returns you to the SSO tab, where you can confirm that Enable automatic SAML configuration is turned on. If you ever need to turn off OneLogin SSO for Office 365, simply click the toggle off.

Manually

You can also configure WS-Federation settings manually:

Go to SSO > Manual Configuration, where you can view the X.509 certificate, SHA-1 fingerprint, Issuer URL, and web service endpoints required required to set up WS-Federation with SAML 1.1 using Windows PowerShell. Make note of these values and contact your OneLogin support team for assistance.

For information about using PowerShell, see here.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo