Previous Topic: Define the RouteNext Topic: Create an Endpoint

Single Sign-On ServiceSSO Getting Started GuideHow to Connect a CA CloudMinder Tenant to an Office 365 TenantOverviewTenant Admin Tasks to Connect a CA CloudMinder Tenant to an Office 365 TenantOverview of the Tenant Admin Tasks for Connecting a CA CloudMinder Tenant to an Office 365 TenantConfigure User ProvisioningConfigure Office 365 Federation

Configure Office 365 Federation

This multi-step procedure shows an Office 365 Tenant Administrator how to:

  1. Verify that your root domain ([domain]) is not the default domain for Office 365.
  2. Register the domain with Office 365.
  3. Change the domain authentication method.

Note: This step requires the following information:

Verify that your root domain ([domain]) is not the default domain for Office 365.

Follow these steps:

  1. Open https://portal.microsoftonline.com.
  2. Login with Office 365 Tenant Administrator credentials.
  3. Click the name of the company to see the company profile.
  4. Confirm that the "default domain" is NOT [domain], or change the default to something other than [domain].
  5. Click Save.

Register the domain with Office 365.

Follow these steps:

  1. Log in with Office 365 Tenant Administrator credentials.
  2. Click Admin, and then Select Office 365.
  3. Click DOMAINS present under the Office 365 admin center.
  4. Click Add domain, and then follow instructions to register an existing domain or buy a new domain

Change the domain authentication method.

Follow these steps:

  1. Login to the Windows domain machine as an administrator
  2. Open Windows Azure Active Directory Module for Windows PowerShell and run the following script, modified for your environment. This script will configure the Office 365 domain for federation. 
    # Set-MsolDomainFederationSettings.ps1
# Note: Unsigned scripts must be permitted with powershell command:
# Set-ExecutionPolicy RemoteSigned

# The name of the root domain configured and confirmed in Office 365
$DN = "[domain]"

# The base URL of the Federation installation
$BURL = "[baseUrl]"

# Your Signing Certificate, excluding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
$Cert = "[certificate]"

# The Federation Partnership Name
$PN = "[partnershipId]"

# The Federation Disambiguation ID
$DID = "[disambiguationId]"

# The Local Identity Provider Entity ID
$IUri = "[entityIdLocal]"
### End of Configuration

# Passive Requester Service URL
$PUri = "$BURL/affwebservices/public/wsfeddispatcher/$DID"

# Active Requester Service URL
$AUri = "$BURL/$PN/ws-username"

# Sign-Out URL
$LUri = "$BURL/affwebservices/public/wsfeddispatcher/$DID"

# Metadata Exchange URL
$MUri = "$BURL/$PN/mex"

Write-Host "Enter your Office 365 Administrator credentials"
Connect-MsolService

# Change the authentication method and set the parameters

Set-MsolDomainAuthentication -Authentication federated -DomainName $DN -ActiveLogOnUri $AUri -IssuerUri $IUri -LogOffUri $LUri -MetadataExchangeUri $MUri -PassiveLogOnUri $PUri -SigningCertificate $Cert

# Set the parameters in case we are updating
Set-MsolDomainFederationSettings -DomainName $DN -ActiveLogOnUri $AUri -IssuerUri $IUri -LogOffUri $LUri -MetadataExchangeUri $MUri -PassiveLogOnUri $PUri -SigningCertificate $Cert

# Verify the federation settings
Get-MsolDomainFederationSettings -DomainName $DN

# Verify the federation settings by comparing to the user entered data
# this particularly ensures that the certificate was uploaded correctly
$existing = Get-MsolDomainFederationSettings -DomainName $DN
if ($existing.ActiveLogOnUri -ne $AUri -or 
	$existing.IssuerUri -ne $IUri -or
	$existing.LogOffUri -ne $LUri -or
	$existing.MetadataExchangeUri -ne $MUri -or
	$existing.PassiveLogOnUri -ne $PUri -or
	$existing.SigningCertificate -ne $Cert) { 
	Write-Output "Please verify your settings.  At least one setting was not properly uploaded."
}