Set up a trust between Shibboleth and Azure AD

Updated: June 25, 2015

Applies To: Azure, Office 365, Power BI, Windows Intune

Azure AD domains are federated using the Microsoft Azure Active Directory Module for Windows PowerShell. You will use this topic to run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.

Important

Before you can complete the instructions in this topic, you must review and complete the steps in Install Windows PowerShell for single sign-on with Shibboleth.

Each Active Directory domain that you want to federate using Shibboleth must either be added as a single sign-on domain or converted to be a single sign-on domain from a standard domain. Adding or converting a domain sets up a trust between Shibboleth Identity Provider and Azure Active Directory.

The following procedure walks you through how to convert an existing standard domain to a federated domain.

  1. Open the Microsoft Azure Active Directory Module.

  2. Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials.

  3. Run Connect-MsolService –Credential $cred. This cmdlet connects you to Azure AD. Creating a context that connects you to Azure AD is required before running any of the additional cmdlets installed by the tool.

  4. Run the following commands to convert an existing domain (in this example, mail.contoso.com) for single sign on:

    $dom = "mail.contoso.com”
    $url = "https://idp.contoso.com/idp/profile/SAML2/POST/SSO"
    $ecpUrl = "https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP"
    $uri = "https://idp.contoso.com/idp/shibboleth"
    $logouturl = "https://idp.contoso.com/logout/" 
    $cert = "MIIFYzCCBEugAw...2tLRtyN"
    
    Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom -Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
    

    Note

    You must run $ecpUrl = https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP only if you set up the Shibboleth Identity Provider ECP extension. Though an optional step, it is recommended that you install the Shibboleth Identity Provider ECP extension in order for single sign-on to work with a smart phone, Microsoft Outlook or other clients. For more information, see “Optional: Install the Shibboleth ECP Extension” in Configure Shibboleth for use with single sign-on.

See Also

Concepts

Install Windows PowerShell for single sign-on with Shibboleth
Use Shibboleth Identity Provider to implement single sign-on