Support Center

Single Sign On (SSO) with Office 365

JumpCloud® Directory-as-a-Service® is the world’s first comprehensive cloud directory, and integrates directly with the Microsoft® cloud productivity suite, Office 365TM, through SAML 2.0 single sign on (SSO), also referred to as Federation in the Office 365 suite.

This KB walks you through configuring JumpCloud's SAML SSO connector for Office 365. Be sure to read the important information in Step 1 before you start to configure your Office 365 SSO connector. 
 
This KB includes:

Step 1 - Read Important Information

Important: Read all of the information in this section before proceeding to step 2. 
 
  • SSO isn't available for users until they are synced to Office 365 during JumpCloud's integration with Office 365. Learn how to integrate JumpCould with Office 365.
  • When SSO is enabled, all users in the email domain you are configuring for SSO are affected. After SSO is enabled, users aren't able to log in to Office 365 using password authentication.  
  • To successfully complete (SSO) integration between JumpCloud and Office 365, you must use a Global Administrator account in Office 365.
  • The default domain defined in Office 365 must NOT be the domain used for SSO. This usually requires setting the *.onmicrosoft.com domain to default in the Office 365 Portal.
  • SSO with existing AD Sync - If you want to use JumpCloud's SSO, but still use a local Active Directory to manage your Office 365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available.
    Note: If AD Directory Sync is active for your organization, JumpCloud isn't able to update your users in Office 365. SSO will still function based on users' JumpCloud log in.
  • If you are migrating your Office 365 users from AD Sync to JumpCloud management, JumpCloud can't manage the users until Directory Sync is disabled.
    • To disable directory sync:
      If you have the Azure Active Directory Module for Windows PowerShell installed, you can move to the next step, otherwise install the Module:
      Azure Active Directory Module for Windows PowerShell
    • Run the the Azure Active Directory PowerShell command: 
      Get-MsolCompanyInformation and select the DirectorySynchronizationEnabled field.
      To disable, run the command:
      Set-MsolDirSyncEnabled -EnableDirSync $false
      Note: This setting applies to all domains in your Office 365 account, not just SSO domains.
  • Exchange Online By default, the Modern Authentication required for third-party SAML SSO to work with Office 365 is enabled for Exchange Online, though this setting can be changed by administrators. Before you continue to set up SSO, you’ll want to verify that it is enabled in your organization.
  • To read more on Modern Authentication and how it affects Office applications: Modern Authentication and Office Applications
  • To verify if Modern Authentication is enabled:
  1. If you have the Azure Active Directory Module for Windows PowerShell installed, proceed to the following step. Otherwise, install the module: Azure Active Directory Module for Windows PowerShell.
  2. Connect to Exchange Online and check if Modern Authentication is turned on by entering the following commands in order:
    • ​Store your Office 365 admin credentials:

      $UserCredential = Get-Credential
       
    • Create the Office 365 Session:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    • Connect to the Office 365 Exchange session:

      Import-PSSession $Session -DisableNameChecking
       
    • Run command to verify Modern Authentication:

      Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

      You should see results like this:

          Name                        OAuth2ClientProfileEnabled
          ----                        --------------------------
          testdomaincom.onmicrosoft.com                True
 

Step 2 - Prerequisites
 

Note: The following steps only need to be applied on the system of the administrator is configuring SAML for SSO. For reference, view Microsoft's Use a SAML 2.0 identity provider to implement single sign on.
  1.  Generate a public certificate and private key pair.
  2. Install the Microsoft Online Services Sign-In Assistant. This assistant is only supported on Windows systems.
  3. Install the Azure Active Directory Module for Windows PowerShell. This module is only supported on Windows systems.
 

Step 3 - Configure the JumpCloud SSO Application

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to Applications, then click ( + ). The Configure New Application panel appears.
  3. Search for "Office 365," then click configure to the right of the application name.
  4. You can upload a service provider application's XML metadata file to populate SAML connector attributes for that application. The attributes populated by the metadata file may vary by the application. To apply a metadata file for the application you're connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You'll see a confirmation of a successful upload. Be aware that if you upload more than one metadata file, you'll overwrite the attribute values applied in the previously uploaded file.
  5. If you don't upload a metadata file, specify the following information:
  • In the IDP Entity ID field, enter your Office 365 domain (e.g. yourdomain.com). This value must match the value you specify for the IssuerURI.
  • Select Upload IdP Private Key and upload the private.pem file generated according to the above prerequisites.
  • Select Upload IdP Certificate and upload the cert.pem file generated according to the above prerequisites.
  • In the IDP-Initiated URL field enter your Office 365 domain in place of (YOUR_DOMAIN).
  • In the IdP URL field, either leave the default value or enter a plaintext string unique to this connector.
  • (Optional) In the Display Label field, enter a label that will appear beside the Office 365 logo in the JumpCloud Portal to guide administrators and users to the connection you have configured.
  1. Click activate. 


Step 4 - Configuring the Service Provider

You have two options to configure Office 365 as the Service Provider:  

Configure the Service Provider using the JumpCloud.Office365.SSO PowerShell Module

PowerShell Module Step 1: Verify Requirements
PowerShell Module Step 2: Install the JumpCloud.Office365.SSO module
PowerShell Module Step 3: Export the JumpCloud Office 365 metadata XML
PowerShell Module Step 4: Run Command to enable the Office 365 domain for federation

 

Module Requirements

  • A Windows computer
  • A PowerShell session 'Run-As Administrator'
  • The ExecutionPolicy of the PowerShell session set to 'RemoteSigned'
  • PowerShell 5 or newer

If you are running an older version of PowerShell, refer to this document to find the MSI package for installing PowerShellGet. Alternately, upgrade your PowerShell version.

Notes About ExecutionPolicy:

  • To install a module from the PowerShell Gallery, admins must have an execution policy set which lets you load configuration files and run scripts.
  • To load modules from the PowerShell Gallery, admins should set their execution policy to RemoteSigned.

    The following command sets execution policies to RemoteSigned this on Windows machines running PowerShell version 3.0 or higher:
    Set-ExecutionPolicy RemoteSigned

     
  • To see the current execution policy, admins can run the following command:
    Get-ExecutionPolicy
 
After admins have confirmed the module installation prerequisites listed above, they can run the following install command from a PowerShell console that is run as an administrator:

Install-Module JumpCloud.Office365.SSO
 

Exporting the JumpCloud Office 365 metadata XML

All commands in the JumpCloud.Office365.SSO module use XML metadata from the corresponding JumpCloud Office 365 SSO application.

To export the metadata for the application:
  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to Applications
  3. Locate and select the Office 365 SSO application, then click export-metadata under the search bar.
 

Run Command to enable the Office 365 Domain for Federation

To run the command:
1. Browse to the directory where you downloaded the metadata XML file. 
2. Launch a PowerShell and run it as an administrator.
3. Run the following command:  

Enable-JumpCloud.Office365.SSO -XMLFilePath .\JumpCloud-office365-metadata.xml

NoteThe Enable-JumpCloud.Office365.SSO command enables an Office365 domain for Federated (SSO) authentication and requires input from the JumpCloud Office 365 XML metadata file to fill out the required fields of the Set-MsolDomainAuthentication command.

Command Execution

The command first checks and ensures the MSOnline module is installed. If this module isn't installed, it installs it from the PowerShell gallery.

After installing the MSOnline module, it prompts users to log in with their Office365 administrator account to connect to the Office365 tenant, unless a valid credential is detected.

Finally, the command runs the Set-MsolDomainAuthentication command with the required parameters for Federated authentication specified with metadata from the JumpCloud Office 365 XML metadata file.

Note that it can take up to 20 minutes for the Office 365 sign in process to update to Federated across all Microsoft tenants and be to reflected in the JumpCloud User Portal.

From here, you can test the authentication workflow to validate that you’ve set up SSO successfully.

 

STEP 5 - Validate SSO authentication workflows

IdP Initiated
  • Log in to the JumpCloud User Portal (https://console.jumpcloud.com) as a user that has been imported from your Office 365 account (AD Sync-users), or that has been exported or provisioned to Office 365 by JumpCloud.
  • Click the Office 365 application icon. This should automatically launch and log in to the Office 365 application.
SP-Initiated
  • In your Web browser, go to https://portal.office.com.
  • Enter an email address that is associated with a user that has been imported from your Office 365 account (AD Sync-users), or that has been exported or provisioned to Office 365 by JumpCloud.
  • If necessary, log in to the JumpCloud User Portal. You should be logged in to the Office 365 application.

Alternative Manual Service Provider Set Up Method

If you don't want to use the JumpCloud.Office365.SSO module, you can use the following command in the MSOnline module to configure SSO.

To run the command:

  1. Start Powershell on a system with the Azure Active Directory Module for Windows PowerShell installed.
  2. Define variables. This will prompt for log in, the username accepts UPN format, such as username@yourdomain.tld.
  3. Run: $cred=Get-Credential
  4. Connect with the saved credentials:

    Connect-MsolService –Credential $cred
     
  5. Define your Office 365 Domain:

    $domain="yourdomain.tld"

     
  6. Define the idpUrl, this is the same value as the IDP URL in the connector, default value shown:
    $idpUrl="https://sso.jumpcloud.com/saml2/office365"

     
  7. Define a logout URL:
    $logoutUrl="https://console.jumpcloud.com/userconsole/"

     
  8. Define the public cert generated in the prerequisites.
    Important: This variable can't contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and can't contain spaces or newlines.
    Suggestion: Export the metadata file from your JumpCloud SSO configuration and copy the certificate string between <ds:X509Certificate> and </ds:X509Certificate>

    $certificate="MIIDtTCCAp2gAwIBAgIJAJUpvv+YllN1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQY...TRUNCATED...wcsC1lArmug//RG+BPp6yT6qhsm4g4wVcxpHWT8cA1py0TQaIQbNnBqNLDbQJl9oJ3PB9eiKEpEWtdtmcQOW3yB1AdxsQBKxtaNT5PypyLqnJ+e8="

  9. Define the Issuer URI, this must be the same value as the IDP Entity ID previously defined:
    $issuerUri="yourdomain.com"

     
  10. Run the following to enable SSO for the defined domain:
Set-MsolDomainAuthentication –DomainName $domain -FederationBrandName $domain -Authentication Federated -IssuerUri $issuerUri -LogOffUri $logoutUrl -PassiveLogOnUri $idpUrl -ActiveLogOnUri $idpUrl -SigningCertificate $certificate -PreferredAuthenticationProtocol SAMLP
 

Additional Information

 

Last Updated: Jun 12, 2019 02:46PM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete