«

»

Feb
24

Single Sign On for Office 365

There are 2 ways to authenticate to Office 365,

  1. Authenticate using the Microsoft Online Services ID
  2. Authenticate against ADDS (Active Directory Domain Services) through implementing SSO (Single Sign-On) and DirSync (Directory Synchronisation).

When deploying Office 365 you will need to think carefully how to go about your authentication as changing half way through your deployment or at the end could impact your users.

SSO and DirSync are considered as a long term Authentication solution and should not be changed once implemented as it can affect all your users within your Organisation.

If you are going to be using SSO and DirSync you will need to make sure you have a UPN Suffix added to your ADDS if you are using a none routable namespace for your ADDS domain Name eg my lab domain is ak365.local and my Office 365 domain is ak365.co.uk. so in my case I added a UPN Suffix for ak365.co.uk in ADDS. This is done through the Active Directory Domains and Trusts tool. Right click on the top level of the tree, select properties and then add the new UPN Suffix:

clip_image002 clip_image004

SSO and DirSync can be achieved by using only 2 servers.

  1. One Server running ADFS (Active Directory Federated Services) 2.0 This is also know as Identity Federation.
  2. One Server running DirSync

NB Up until recently DirSync would only run on a Server 2008 x86 server but there is now am x64 bit version to run on Server 2008 R2.

The ADFS Tool that is used for this is not the Role that you can install on your Server from Programs and Features you need to download the tool from here. Also if you have some issues with it you might want to install the ADFS Rollup 1

The ADFS services can also run on a domain controller.

Running this across 2 servers restricts you to only authenticating to Office 365 from within your Organisations network. If you want to enable SSO from outside your network then you will need a 3rd server which will be your ADFS Proxy. This will then enable you to use Smartphones and other mobile devices to retrieve email using Exchange ActiveSync.

Again you are restricting yourself with only 1 ADFS Server and 1 ADFS Proxy as if the ADFS Server fails and is not accessible then no one will be able to authenticate and if your ADFS Proxy failed then your remote workers would not be able to authenticate without logging in through a VPN.

Both the ADFS Server and ADFS Proxy can be installed into farms using Windows NLB (Network Load Balancing) Which will give you resilience for authenticating so if one server fails your will still be able to log into Office 365. This will mean you could go from 3 servers to 5. The DirSync Server although an important piece for Syncing up the user info to Office 365 is not a required service for authentication so you can get away with having only one.

SSO is achieved by using SSL so you need to open up port 443 to your ADFS Proxy which sits in your perimeter network and then open port 443 from ADFS proxy in your perimeter network to your ADFS Server in your Organisations network.

NB if you are testing this you will more than likely be using a Self Signed SSL. This works for logging on to the Office 365 Web Portal and OWA but does not work for Outlook. I constantly got prompts for the password in outlook when configuring for the first time. If you are setting this up in a lab you can use something like a free 30 day trial SSL from www.GeoCert.com.

Also if you are using the ADFS Proxy you will need to maintain two lots of DNS records for your federated domain. you’ll need to maintain a local copy of DNS within your DNS for AD which points to the ADFS Server, and you will also need to maintain the public DNS for the external authentication. This will then mean that you will have 2 lots of ALL your DNS to keep in sync.

Another thing to mention is that once you are running DirSync you cannot simply add additional email aliases to users through the Office 365 admin portal. to add additional email aliases to a users account you will need to add this via the proxyAddress field in ADSIEdit.msc.

So that you do not change the default email address you will need to add that into the list also however you will need to add it in as SMTP:andrew@ak365.co.uk, any other aliases after that need to be added as smtp:andy@ak365.co.uk etc…

DirSync by default syncs to Office 365 every 3 Hrs so any changes that you make or users you add will show up in Office 365 with in 3 Hrs. if this is too long you can force an update by following the instructions on this link:

http://technet.microsoft.com/en-us/library/cc742659.aspx

I’ll put a how to guide on configuring DirSync and SSO later on, however a lot of the info that I used was on these two blogs:

http://blogs.catapultsystems.com/tharrington/archive/2011/04/11/active-directory-federation-services-adfs-2-0-with-office-365-part-2-%E2%80%93-configuring.aspx?id=71&list=f6019022-cb8b-4e0e-9058-14a0f5e5889e&itemid=71

http://blogs.msdn.com/b/plankytronixx/archive/2011/01/24/video-screencast-complete-setup-details-for-federated-identity-access-from-on-premise-ad-to-office-365.aspx

However it is worth mentioning that both these were written for the Office 365 Beta. It has now been on General release since July (If I remember) and some of the commands for PowerShell have changed. but the principle is the same.

1 comment

  1. Thomas G says:

    Very informative. Thanks

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>