Office 365
Introduction
-
Office 365 does not expose any web interface for setting up Single Sign-On, you must issue a few Powershell commands.
-
The following command require a Windows computer with Powershell ≥ 5.0 installed.
Setup Powershell environment
- Start Powershell as administrator and enter the following command:
Install-Module MSOnline
Connect to Azure AD
- In Powershell, enter the following command and enter your Office 365 administrator credentials:
connect-msolservice
Change Office federation settings
- Issue the following command to load the certificate:
$cert = "MIIDXXX...XXXZWCxicZzKAgV"
The contents of the certificat is available on the setup page of your Trustelem application
- Choose a federation brand name for your organization, for instance:
$FederationBrandName = "mydomain.com"
- Execute the following commands (adapt the DomainName, the URLs and keep the backquotes characters ` ):
Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication managed
Set-MsolDomainAuthentication -DomainName mydomain.com `
-FederationBrandName $FederationBrandName `
-Authentication Federated `
-PassiveLogOnUri https://mydomain.trustelem.com/app/34XXX/sso `
-SigningCertificate $cert `
-IssuerUri https://mydomain.trustelem.com/app/34XXX/mydomain.com `
-LogOffUri https://mydomain.trustelem.com/app/34XXX/slo `
-PreferredAuthenticationProtocol SAMLP
Note for Azure AD users
If your Trustelem users are synchronized from Azure AD:
- After this setup, they will not have the possibility to use their Azure AD password anymore : they have to use a Trustelem password instead:
Go to your Azure AD directory on Trustelem > Enabled Use Trustelem as password source
- If the synchronized users only exist on an Azure which is not linked to an AD, then you'll need to verify if they have an onPremisesImmutableId. You also need to add this attribute to Trustelem:
Go to your Azure AD directory on Trustelem > tick Advanced options > enter onPremisesImmutableId in Custom attributes