3

A while back it was announced that Office 365 will support SAML federation Office 365 and SAML and I want to know how I integrate our in house SSO server to work with it? Is active directory necessary for it? All our user data is stored in a database.

user2630656
  • 129
  • 2
  • 5

2 Answers2

3

Office365/AzureAD do indeed support federating with SAML based IdPs. The list of supported "works with Office 365" IdPs is here: http://technet.microsoft.com/en-us/library/jj679342.aspx

Yes, you can federate your in-house identity provider with Office365/AzureAD. No your identity provider doesn't need to use Windows Server AD - it doesn't matter in what store the identities are stored as long as:

  • the required attributes exist on the user objects
  • their corresponding identities are created in AzureAD (either via continuous sync or via manual creation and update)
  • the sso endpoints (passive and active) of the federated identity provider are registered in Azure AD
  • Azure AD is registered as an SP in the identity provider, and when Azure AD sends an SSO request to the identity provider, it issues the right claims in the token (including immutableid) with the correct audience.

Yes that's lot of stuff you need to take care of, if you're not using an off the shelf "works with Office365" IdP. The good news is that much of the Shibboleth config step-by-step document will apply to your config too so it will help a lot: http://www.microsoft.com/en-us/download/details.aspx?id=35464

Finally, as Bernhard noted - AzureAD doesn't yet support SP initiated logout with SAML IdPs.

Found a article tailor made for this: http://msdn.microsoft.com/en-us/library/azure/dn641269.aspx

Hope that helps.

Dheeraj Vepakomma
  • 26,870
  • 17
  • 81
  • 104
Dushyant Gill
  • 3,966
  • 18
  • 14
0

Officially only Shibboleth is 'supported'. You may have a look at http://technet.microsoft.com/en-us/library/jj205456.aspx

It also works with OpenAM as IdP.

If your 'in house SSO server' supports SAMLv2 your changes are good it works as well.

Last time I tried it the Office 365 Metadata did not follow the schema defined in SAMLv2 spec (hence it bails out on OpenAM).

Last time I looked at it, Office 365 did not offer SP-initiated single logout.

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7