Can we configure ADFS and Office 365 to use SAML authentication for SSO?

Sid Ghosalkar 0 Reputation points
2023-05-16T12:35:57.0133333+00:00

By default, ADFS and Office 365 uses WS-Fed authentication for SSO. Can we configure SAML here in place of WS-Fed?

If Yes, can you please provide the documentation or reference links for the same? If Not, please let me know.

As I am working on this integration, I am facing so many issues as below:

  1. AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid.
  2. AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
  3. AADSTS500082: SAML assertion is not present in the token.

I have referred to this link, but it uses WS-Fed integration:

https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/active-directory/set-up-adfs-for-single-sign-on

I have also used AAD Connect for a hybrid environment.

I am looking for the SAML integration between ADFS and Office 365. Can you please guide me?

Office
Office
A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.
1,296 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,843 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,000 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,450 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,326 Reputation points Microsoft Employee
    2023-05-17T06:48:19.81+00:00

    @Sid Ghosalkar

    Yes, you can configure office 365 as relying party in ADFS using SAML protocol. First you will have to make the relying party configuration in ADFS and then you will have to update setting of Office 365 using PowerShell.

    You can follow below steps for configuring office 365 as relying party in ADFS,

    Add Office 365 as a relying party in ADFS

    • Open the ADFS Management Console.
    • Click on "Relying Party Trusts" and then click on "Add Relying Party Trust".
    • Follow the wizard to add a new relying party trust.
    • In the "Select Data Source" step, select "Enter data about the relying party manually".
    • In the "Specify Display Name" step, enter a display name for the relying party.
    • In the "Choose Profile" step, select "AD FS profile".
    • In the "Configure Certificate" step, select the certificate that you want to use for signing and encrypting SAML tokens.
    • In the "Configure URL" step, enter the URL of the Office 365 federation metadata file: https://login.microsoftonline.com/<your_tenant_name>/FederationMetadata/2007-06/FederationMetadata.xml
    • In the "Configure Identifiers" step, enter the following identifier: urn:federation:MicrosoftOnline
    • In the "Choose Access Control Policy" step, select "Permit everyone".
    • In the "Ready to Add Trust" step, review your settings and click "Finish".

    Configure Office 365 as a relying party in ADFS

    • Open the ADFS Management Console.
    • Click on "Relying Party Trusts" and then select the relying party that you just added.
    • Click on "Edit Claim Rules".
    • Click on "Add Rule".
    • Select "Send LDAP Attributes as Claims" and click "Next".
    • Enter a name for the claim rule and select the LDAP attribute that you want to use as the claim value.
    • Click "Finish" to create the claim rule.

    Configure settings on office 365 using PowerShell

    • Open Windows PowerShell as administrator from any of the Windows device.
    • Run the Install-Module MSOnline command.
    • If you're prompted to install the NuGet provider, type Y and press Enter.
    • If you're prompted to install the module from PSGallery, type Y and press Enter.
    • Once module is installed you can run below commands,
    • Connect-MsolService (enter global administrator credentials of you Azure AD)
    • You will have to run command "Set-MsolDomainAuthentication" to configure the same. There are many parameters which is added to this command. You can get these parameters from below article, https://learn.microsoft.com/en-us/powershell/module/msonline/set-msoldomainauthentication?view=azureadps-1.0
    • And for the parameters values you can get them from ADFS metadata.

    Let me know if you have any further questions. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments