Configuring Single Sign-On from the VMware Identity Manager Service to Office 365



Similar documents
Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

VMware Identity Manager Integration with Active Directory Federation Services 2.0

Setting Up Resources in VMware Identity Manager

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Mod 2: User Management

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

VMware Identity Manager Administration

OneLogin Integration User Guide

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Special thanks to the following people for reviewing and providing invaluable feedback for this document: Joe Davies, Bill Mathers, Andreas Kjellman

Setting Up Resources in VMware Workspace Portal

Connected Data. Connected Data requirements for SSO

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Configuring. SuccessFactors. Chapter 67

Reconfiguration of VMware vcenter Update Manager

ADFS Integration Guidelines

Configuring SuccessFactors

Configuring Salesforce

Defender Token Deployment System Quick Start Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide

CA Nimsoft Service Desk

Single Sign On for ShareFile with NetScaler. Deployment Guide

Microsoft Office 365 Using SAML Integration Guide

How to Migrate Citrix XenApp to VMware Horizon 6 TECHNICAL WHITE PAPER

VMware Identity Manager Administration

ThinPrint GPO Configuration for Location-Based Printing

Egnyte Single Sign-On (SSO) Installation for OneLogin

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Configuring on-premise Sharepoint server SSO

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

Security Assertion Markup Language (SAML) Site Manager Setup

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Getting Started with Database-as-a-Service

Installing and Configuring vcloud Connector

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Office 365 deployment checklists

Google Apps Deployment Guide

Configuring. SugarCRM. Chapter 121

Sharepoint server SSO

Office 365 deploym. ployment checklists. Chapter 27

Cloud Authentication. Getting Started Guide. Version

Explore the VMware Horizon 6 Toolbox Auditing and Remote Assistance Capabilities

VMware vcenter Support Assistant 5.1.1

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Installing and Configuring vcenter Support Assistant

Offline Data Transfer to VMWare vcloud Hybrid Service

Request Manager Installation and Configuration Guide

User Management Tool 1.5

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

webnetwork Office 365 SSO integration v

SAML based Single Sign-on integration for:

Using the vcenter Orchestrator Plug-In for Microsoft Active Directory

SOA Software API Gateway Appliance 7.1.x Administration Guide

Lync Online Deployment Guide. Version 1.0

Copyright Pivotal Software Inc, of 10

Reconfiguring VMware vsphere Update Manager

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

vrealize Air Compliance OVA Installation and Deployment Guide

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Configuring EPM System for SAML2-based Federation Services SSO

Centrify Mobile Authentication Services

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Configuration Guide. BES12 Cloud

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Integration with Active Directory

Extensibility. vcloud Automation Center 6.0 EN

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Installing and Configuring vcloud Connector

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

SAP NetWeaver AS Java

CRM to Exchange Synchronization

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Shavlik Patch for Microsoft System Center

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Deployment Guide. Deploying F5 BIG-IP Global Traffic Manager on VMware vcloud Hybrid Service

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

MultiSite Manager. User Guide

McAfee Cloud Identity Manager

OVERVIEW. DIGIPASS Authentication for Office 365

SPHOL300 Synchronizing Profile Pictures from On-Premises AD to SharePoint Online

Egnyte Single Sign-On (SSO) Installation for Okta

WatchDox for Windows User Guide. Version 3.9.0

VMware vcenter Log Insight Getting Started Guide


Transcription:

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1

Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding Office 365 Applications to VMware Identity Manager Catalog... 3 Map User Attributes... 3 Add Office 365 Applications to the Catalog... 4 Download Identity Provider Signing Certificate... 5 Preparing to Set Up Single Sign On to Office 365... 6 Configure Office 365 as a Federated Domain for Single Sign-on... 6 Testing Single Sign-on Configuration... 8 Set up User in VMware Identity Manager for Test... 8 Set Up User in Office 365 for Test... 8 Verify Test-User can Sign in to an Office 365 Web Application... 9 Verify Test-User can Sign in to an Office 365 Native Application... 9 Entitle Users to Office 365... 9 /1

Overview This document provides information about configuring single sign-on from the Vmware Identity Manager service to Office 365 applications. VMware Identity Manager is the identity provider and allows Office 365 to trust the VMware Identity Manager service for authentication to Office 365 apps. To use single sign-on to access these Office 365 applications, the Office 365 domain must be changed from managed to federated, and the Office 365 domain parameters settings changed to authenticate through the service. Before you grant Office 365 entitlements to your organization s users and groups, work with your Office 365 account administrator to configure your account to use SAML-based federated authentication with the service. To set up single-sign on between Office 365 and the service, you must perform the following actions. Update user attributes mapping in the VMware Identity Manager directory to match Active Directory attributes. Synchronize Active Directory to the directory in the service. Add the Office 365 applications to the service s Catalog and configure the Office 365 settings. Change the settings in the Office 365 domain authentication settings to the VMware Identity Manager settings for single-sign on. Passive and Active Authentication Profiles Two authentication profiles for single sign on to Office 365 are available in the VMware Identity Manager service, passive Web authentication and active client authentication. The Passive authentication profile supports single sign-on to Office 365 Web applications using a Web browser interface. The Office 365 applications include SharePoint Online portal and Outlook Web Apps. Users sign in to the Web application from their My Apps portal with their Active Directory password. If they sign in to a Web application directly, they are redirected to the VMware Identity Manager service for authentication. The Active authentication profile supports single sign-on to the Office rich client applications, such as Lync, Outlook, and the Office subscription applications. Users who sign in to these applications are authenticated through Office 365, which proxies the request to the service on behalf of the client. When you configure Office 365 in the service, you select either Per App password or Active Directory password as the credential verification method to use to sign in to Office 365 native applications. Per App Password. The per app password method is the default. When you select the Per App Password credential verification method, users must configure a password for the Office 365 application in their My Apps portal. The users right-click the Office 365 application in their My Apps Portal and click Set Password to set the password for this application. After they set this password, they configure their Office 365 native client with the same password. A forgotten password cannot be retrieved. If users forget their passwords, they can select the Office 365 app from their My Apps Portal and enter a new password and then update their native client. Active Directory Password. When the Active Directory Password credential verification method is selected, users log in to their native client with their AD password. /2

Adding Office 365 Applications to VMware Identity Manager Catalog To enable single sign-on to Office 365 applications on the service, you must update the user attribute map, configure the apps in the catalog, and copy the service s SAML signing certificate to paste in the Office 365 application. Map User Attributes The service directory syncs to the Active Directory user attributes that you configure. To enable the service to interact with Office 365, the service s user attributes userprincipalname and objectguid must be mapped to the Active Directory user attributes. Procedure 1. In the service s administration console, Identity & Access Management tab, click Setup > User Attributes. 2. In the Default Attributes section, verify that userprincipalname is a required attribute. 3. In the Attributes section, click +. 4. In the text box, enter objectguid. 5. Click Save. The objectguid attributes is added to the directory s Mapped Attributes list. 6. Next, map objectguid to the Active Directory attribute. Go to the Manage > Directories page and select the directory to update. 7. Click Sync Settings > Mapped Attributes. 8. In the Attribute Name in Active Directory column select the attribute to map to objectguid. 9. Click Save. The directory is updated the next time the directory syncs to the Active Directory. /3

Add Office 365 Applications to the Catalog Add the Office 365 SharePoint and Outlook Web Applications to the catalog. Procedure 1. Log in to the VMware Identity Manager administration console. 2. In the Catalog page, click Add Application >...from the cloud application catalog. 3. In the Add an Application page, click the icon for the Office 365 application to add to the catalog. 4. In the Modify application page, click Configuration. 5. In the Application Configuration section, complete the fields as described here. FIELD Target URL Assertion Consumer Service Name ID Format Audience Assertion Lifetime Credential Verification DESCRIPTION Enter your tenant name. Replace {tenant} with your tenant name. For example https://outlook.com/owa/mytenantname Enter the Office 365 sign in page URL. https://login.microsoftonline.com/login.srf In most cases, select Unspecified (username). If your configuration requires a format other than username, select the format from the drop-down menu. Enter the Office 365 service provider unique identifier urn:federation:microsoftonline The assertion issued by the service is valid for 200 seconds by default. You can change this. Select the type of active authentication credential verification method to use to sign in to Office rich client applications. The default is Per App Password. Users must configure a password for their Office 365 native client applications. If your organization uses Active Directory passwords for authentication, select that from the drop-down menu. See the Passive and Active Authentication Profiles section. /4

6. In the Application Parameters section, configure the value for the following names. tenant, enter the Office 365 app s tenant domain, for example, example.com. issuer, enter the Office 365 app tenant issuer URL, for example, demo.example.com. 7. No changes are required in the Attribute Mapping section. 8. Click Save. Download Identity Provider Signing Certificate When you configure single sign-on to Office 365 applications, you must copy the service s signing certificate and send it to the relying Office 365 application s service. 1. In the service s administration console Catalog tab, click Setup > SAML Metadata. /5

2. Copy and save the Signing Certificate text to a.txt or.crt file. Make sure that you include text from ----- BEGIN CERTIFICATE---- through ---------END CERTIFICATE-----. You add the signing certificate text when you configure Office 365. Preparing to Set Up Single Sign On to Office 365 Work with your Microsoft service provider to make sure that your managed Office 365 environment is correctly set up before you configure the Office 365 application in the VMware Identity Manager service for single sign on. The Office 365 directory synchronization tool must have synchronized your Active Directory to the Office 365 account, and the Windows PowerShell must be installed on the Windows server. Configure Office 365 as a Federated Domain for Single Sign-on You must convert your Office 365 managed domain to a federated domain for single sign-on and update the Office 365 account settings to the service settings. Prerequisite Windows PowerShell installed /6

You use Windows PowerShell and run the Set-MsolDomainAuthentication cmdlet to change the domain authentication settings to the VMware Identity Manager settings for single-sign on. 1. Run the Set-MsolDomainAuthentication cmdlet to change the following variables to the service s settings. LINE OF CMDLET DomainName CMDLET VARIABLE OR VARIABLES domain_name REPLACE WITH The fully qualified domain name of the VMware Identity Manager service domain that is registered with Microsoft. example.mycompanydomain_name.com. IssuerUri -FederationBrandName -PassiveLogOnUri -ActiveLogOnUri -LogOffUri -MetadataExchangeUri -SigningCertificate horizon_org_name Federation_server_name host and port host and port host and port host and port SAML signing cert from Application Manager The unique identifier of the domain in the Office 365 identity platform used in the service, such as example. The name of the string value shown to users when signing in, such as Mycompany Inc. The URL that Web-based clients are directed to when signing in, such as https:// myco.vmwareidentity.com:443/saas/api/1.0/post/sso. The URL that specifies the end point used by active clients when authenticating with domain set up for single sign-on. such as https:// myco.vmwareidentity.com/saas/auth/wsfed/active/logo n. The URL clients are redirected to when they sign out, such as https://login.microsoftonline.com/logout.srf. The URL that specifies the metadata exchange end point used for authentication, such as https:// myco.vmwareidentity.com/saas/auth/wsfed/services/m ex. This is the current certificate used to sign tokens passed to the service. Paste the VMware Identity Manager Signing Certificate here. Before you paste the certificate, exclude the text ----- BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from the certificate content. Important. Make sure you do not include additional spaces or extra line returns when you paste the certificate or it will not work. 2. After you have made the changes, verify the federation changes are correct. To do this, type Get-MsolDomainFederationSettings -DomainName <YOUR DOMAIN> Example of the output from the PowerShell cmdlet. Get-MsolDomainAuthentication DomainName myco.vmwareidentity.com Authentication Federated IssuerUri example -FederationBrandName Mycompany, Inc. -PassiveLogOnUri https://host:port/saas/api/1.0/post/sso -LogOffUri https://login.microsoftonline.com/logout.srf -ActiveLogOnUri https://host:port/saas/auth/wsfed/active/logon -MetadataExchangeUri https://myco.vmwareidentity.com/saas/auth/wsfed/services/mex -SigningCertificate /7

MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMS0wKwYDVQQDEy1cejoyyM2otqFmfiQjs inm/40tfsj2l7uyrib3jpem9uifnbtuwgu2vszi1tawduzwqgq2vydglmawnhdguxezarbgnvbaot CkhP UklaT043MzAxCzAJBgNVBAYTAlVTMB4XDTEyMDkyMDE4MzIzOFoXDTIyMDkxODE4MzIzOFowUTEtM CsGA1UEAxMkSG9yaXpvbiBTQU1MIFNlbGYtU2lnbmVkIENl cnrpzmljyxrlmrmweqydvqpit1jjwk9onzmwmqswcqydvqqgewjvuzcbnzanbgkqhkig9w0baqefa AOBjQAwgYkCgYEAoYCFzs3pjWke0LhkztflPRv8mhji fjbsq9wlfqbfmkkes8pa47dwr7luhqgsaocfny55m8llll554llelrgchjeni9w6amfizvali7q4k EikTX38IHgAsrg30f4S+Qbr3wj6VmS1wPNFOKqHoqsUbFzI MzAl2BevuFySvZKWx/cCAwEAAaMQMA4wDAYDVUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCHdlshW/ /UzL Testing Single Sign-on Configuration You should test your single sign-on configuration with a small number of users before deploying the application across your organization. Set up User in VMware Identity Manager for Test Perquisite Configure user ID and email address for testing. Verify that the user is listed in the Users & Groups > Users page. Entitle the test user to an Office 365 application. 1. Log in to the VMware Identity Manager administration console. 2. In the Users & Groups page, click Users and ensure that the user you are testing is in the list of users. 3. In the Catalog page, click on the Office 365 application to be tested. 4. On the Modify application page, click Entitlements. 5. Click +Add user entitlement. 6. Select the test user and in the Deployment column drop-down menu, select Automatic. 7. Click Save and then Done. 8. Log out of the administration console. In the header by your name, click the arrow and select Logout. Set Up User in Office 365 for Test You provision a user in Office 365 application to test single sign-on through the VMware Identity Manager service. 1. Log in to the Office 365 portal as the administrator. /8

2. Navigate to the users and groups Add new users page. 3. In the page that appears, in the Display name and a User name text box, enter the test user name The User name is the name used to sign in to Office 365. 4. If you have more than one domain, select the correct domain for this user from the drop-down menu. 5. Click Create to create the test account. Verify Test-User can Sign in to an Office 365 Web Application Now that a user is entitled in the service and set up in Office 365, test that the user can sign in to Office 365 Web application from their My Apps Portal. 1. In the browser, enter the URL to the My Apps Portal sign in page and sign in with the test user name and password. 2. In the My Apps Portal page, click the Office 365 application. You should successfully log in to Office 365. Verify Test-User can Sign in to an Office 365 Native Application Verify that the user can sign in to Office 365 native application. 1. Launch the Office 365 native application installed on the test user s computer. 2. Click the login link for the application and enter the email address and password. a. If the Per App Password is configured, enter the password that was set through the My Apps Portal page. b. If Active Directory password is configured, enter the test user s Active Directory password. You should successfully log in to Office 365. Entitle Users to Office 365 After Office 365 is configured and tested, you can entitle users to the application. 1. Log in to the VMware Identity Manager administration console. 2. In the Catalog page, click on the Office 365 application. 3. On the Modify application page, click Entitlements. 4. Click +Add group entitlement. 5. Select the group for All Users 6. In the Deployment Type column drop-down menu, select Automatic. 7. Click Save and then Done. /9

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information