How to: Change an ACS Configuration to Support Single Sign-On with Office 365 and SharePoint
You can change your Access Control Service (ACS) configuration in Microsoft Dynamics NAV 2013 if you want to combine access to the Microsoft Dynamics NAV Web client with your Office 365 account. In a default deployment of Microsoft Dynamics NAV, users must sign in to Office 365 and Microsoft Dynamics NAV separately. By changing the configuration, users will sign in to Office 365 and then be automatically signed in to Microsoft Dynamics NAV, or the other way around. Users in the Microsoft Dynamics NAV Windows client also benefit from this single sign-on (SSO), but only if they choose the Keep me signed in field in the sign-in dialog box.
Your Office 365 account uses Windows Azure Active Directory for user authentication. You can combine the Office 365 authentication with an ASC configuration of Microsoft Dynamics NAV 2013 to achieve single sign-on between Microsoft Dynamics NAV and Office 365.
To change a deployment to combine Office 365 and ACS has the following prerequisites:
Your Microsoft Dynamics NAV deployment already uses ACS through one of the predefined identity providers, such as Windows Live ID. For more information, see How to: Configure a Deployment for ACS.
You have an Office 365 account that you sign in to with a username such as MyUser@MyDomain.onmicrosoft.com. For more information, see Select an Office 365 plan for business online.
Changing a configuration to support single sign-on between Office 365 and Microsoft Dynamics NAV requires the following main steps:
Configure a WS-Federation identity provider
Reconfigure your existing relying party application to use only the new identity provider
Reconfigure your rule group to handle tokens from your Office 365 account
Configure the Office 365 account to accept authentication from Microsoft Dynamics NAV
To configure a WS-Federation identity provider
Open the Access Control Service portal for your existing ACS namespace. For more information, see How to: Configure a Deployment for ACS.
Add a new identity provider based on the WS-Federation identity provider template. For more information, see How to configure AD FS 2.0 as an Identity Provider in the MSDN Library.
In the Add WS-Federation Identity Provider page, fill in the fields as described in the following table.
Field Description Display name
Specify a name, such as the name of the Office 365 account. For example, MyDomain.onmicrosoft.com.
WS_Federation metadata URL
Specify the federation metadata location for your Office 365 account, such as https://login.windows.net/MyDomain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml, where MyDomain is your Office 365 account name.
Login link text
Specify a descriptive name, such as Office 365 MyDomain.onmicrosoft.com, where MyDomain is your Office 365 account name.
This value is only used if you configure your relying party to support multiple identity providers.
Relying party applications
Make sure your existing relying party is selected.
Choose the Save button.
Next, you must reconfigure your existing relying party application.
To reconfigure your existing relying party application
In the left pane of the Access Control Service section of the Azure Management portal, choose Relying Party Applications, and then choose your existing relying application.
This opens the configuration in edit mode.
In the Authentication Settings section, under Identity providers, make sure that only the new identify provider is selected.
Choose the Save button.
Next, you must reconfigure the rule group that your existing ACS namespace uses.
To reconfigure your rule group to handle Office 365 tokens
In the left pane of the Access Control Service portal, choose Rule groups, and then choose your existing rule group.
Select all existing rule groups, and then choose Delete.
Choose Generate. In the Generate Rules page, choose the relevant identity provider, and then choose the Generate button.
In the Edit Rule Group page, delete all rules except the rule where the output claim is name.
Choose Add. This opens the Add Claim Rule page.
In the Input claim issuer group, in the Identity Provider field, make sure your new identity provider is selected.
In the Input claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.
The https://schemas.microsoft.com/identity/claims/objectidentifier claim handles the unique IDs of the users.
In the Output claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.
Choose the Save button.
You have changed the configuration of your ACS namespace so that users can be authenticated against the specified Office 365 account. Next, you must configure the Office 365 account to accept authentication from Microsoft Dynamics NAV.
To configure the Office 365 account to accept authentication from Microsoft Dynamics NAV
Download and install the Windows Azure Active Directory Module for Windows PowerShell. For more information, see Manage Windows Azure Active Directory by using Windows PowerShell on TechNet.
To start a Windows PowerShell session, run PowerShell.exe at a command prompt.
Run the following Windows PowerShell commands:
Import-Module MSOnline Connect-MsolService MyUser@MyDomain.onmicrosoft.com $acsUrl = New-MsolServicePrincipalAddresses -Address "https://MyACSNamespace.accesscontrol.windows.net/" New-MsolServicePrincipal -ServicePrincipalNames "https://MyACSNamespace.accesscontrol.windows.net/" -DisplayName "Microsoft Dynamics NAV via ACS" -Addresses $acsUrl
You have now configured your ACS namespace and your Office 365 account to enable single sign-on between Office 365 and Microsoft Dynamics NAV.
See Also
Other Resources
How to: Configure a Deployment for ACS
Select an Office 365 plan for business