Set up O365 as the SP and EAA as the IdP

This procedure describes how to set up the O365 application as the service provider (SP) and Enterprise Application Access (EAA) as the identity provider (IdP).

Complete the following steps to configure O365 as the SP and EAA as the IdP.

How to

  1. Set up a domain that you have admin access to.
    1. Buy and create a domain using a third-party provider such as godaddy.com (for example, t3akamai.net).
    2. Create an O365 admin developer account at https://dev.office.com/devprogram/ (for example, jdoet3akamai.onmicrosoft.com)
    3. Go to the O365 admin portal, https://portal.office.com/adminportal#/homepage. Click Admin Home>Domains>Add a domain to add your domain.
    4. Complete the setup wizard and log in as you domain administrator (for example, the godaddy portal). The wizard will automatically update the DNS settings on your domain. For example:

      Upate DNS settings
    5. On the O365 admin portal, go to Home>Domains and make sure your domain is not set to he default. If it is set as the default, change the default to be *.onmicrosoft.com. For example:

      Home>Domains dialog
    6. Have the EAA account administrator request access to the SaaS application feature.
    7. Install the Windows server and set it as the domain controller for your domain.
  2. Create a new application in EAA. See Configure EAA as the IdP for a custom SaaS application to do so. Do not deploy the application at this time.
    1. Under the SAML SETTINGS tab, copy the entity ID, single sign on (ACS) URL, and Signing Certificate information from the IdP info section. You need this data to configure the O365 SP.

      o365-EAA-idp-info
    2. Do not deploy the application at this time. You need to fill out the SAML settings fields with O365 data before you can deploy.
  3. Configure Microsoft Azure as the SP.
    1. Download and install Microsoft Azure Active Directory Connect on the Active Directory (AD) server.
    2. Click Express Settings and complete the setup wizard as shown in this example. Click Connect to Azure AD and enter your username and password:

      o365-connect-to-azure-dialog
      Click Connect to AD DS and enter your username and password, and then click Configure to complete the configuration.
      o365-complete-configuration
    3. At this point, you should see the users in AD (for example, user1, user2) synced to the O365 admin portal.
      o365-ad-users
    4. Download and install the Azure Active Directory PowerShell on the AD server. (As an alternate, you can use the GDrive link to get the file.)
    5. Open the Azure AD PowerShell console and run the commands shown in the following code block with the following changes:
      • Replace all occurrences of t3akamai.net with your domain name,
      • Replace jp-t3.login.stage.akamai-access.com with the URL found in the EAA IdP configuration on the EAA portal,
      • Replace the MIIDyzCCArOgA... certificate with the Signing certificate you copied from then EAA admin portal in Step 2a.
      Note: Make sure to remove white spaces/line breaks in the certificate. Microsoft PowerShell does not work well with spaces in certificates.
      PS C:\Users\Administrator\Desktop> Connect-MsolService
      PS C:\Users\Administrator\Desktop> Get-MsolDomainFederationSettings -domainName t3akamai.net | Format-List *
      PS C:\Users\Administrator\Desktop> Set-MsolDomainAuthentication -DomainName t3akamai.net -Authentication Managed
      PS C:\Users\Administrator\Desktop> $domainname = "t3akamai.net"
      PS C:\Users\Administrator\Desktop> $logoffuri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/slo"
      PS C:\Users\Administrator\Desktop> $passivelogonuri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/sso"
      PS C:\Users\Administrator\Desktop> $cert = "MIIDyzCCArOgAwIBAgIQWtsG8SYkRQWGu+
      MIID3zCCAsegAwIBAgIQQChS3L+pSuiLa1UzTamz9DANBgkqhkiG9w0BAQsFADBi
      MQ0wCwYDVQQDDARTb2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQ
      BgNVBAcMCVN1bm55dmFsZTETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC
      VVMwHhcNMTgwNjI3MTMyNzA0WhcNNDMwNjI4MTMyNzA0WjB9MTYwNAYDVQQDEy10
      ZXN0LWlkcC1jdXN0b20ubG9naW4uc3RhZ2UuYWthbWFpLWFjY2Vzcy5jb20xDTAL
      BgNVBAoTBFNvaGExEjAQBgNVBAcTCVN1bm55dmFsZTETMBEGA1UECBMKQ2FsaWZv
      cm5pYTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
      AQDG7ON1hXVr7VGNP9qJSF0ymy7RLNlIAPdXNTzvD6/XD5rELUdBSm0VwKyfZzw+
      PQgOTwdlcaPBHGXN0i/EQVcorkLraRwTRJZgSW4Vqzq5Crh14tqdHxj1P7ZfndcZ
      VTP4cPBdvOHNrcQEi1GhtUL8N1ZKUim5DKXkIcHJo5Yzjdu9V9PRz82Xt63EdU2w
      zYUYPX2u+Zu+MgQW/l1P67G39IV8K3kdeAchP9E9eS1twW3TkQAlrA62rierr5PI
      QEffmHMh8IFeuCNc7F/WCqlA6oFxfNCCT3K+DY16rqUUJaaVTEcXcfAy+6bizAHm
      eOanF27ZMF4qtc5/BGADv5ijAgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwCwYDVR0P
      BAQDAgeAMDgGA1UdEQQxMC+CLXRlc3QtaWRwLWN1c3RvbS5sb2dpbi5zdGFnZS5h
      a2FtYWktYWNjZXNzLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
      DQYJKoZIhvcNAQELBQADggEBAA+8f0QBA1jFYANWN1IROKo3tom/ph4UWENOK2a/
      4q+0oglrLl+NTir5S445/wayLleAY4N6VXpv2iE3aqX5oGZ4xKLRnJO/rKTYef20
      U+2ZBSSixkRVYE5QVtWpl4B/GlJh0zQ22Lokdtvj2+CFkRRZCFW2ZJs7kiAqcxtF
      2GKke9kyextIs2aaqijfpiJvHEPjKqp4cSs1Q2NUo0qTgptajYNyVKPGsLwdqq8m
      5F4xJfUHehUjHbv9y3Jpdfom1V7gYoAcfWuruK8FkDA0sXUrDzK3QufAWcj4XHli
      bOk96K7LGRomG9amW2JbSxHiE1EGqEScq9GKWxV9FDPS79Y="
      PS C:\Users\Administrator\Desktop> $issueruri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/sso"
      PS C:\Users\Administrator\Desktop> $protocol = "SAMLP"
      
      PS C:\Users\Administrator\Desktop> Set-MsolDomainAuthentication -DomainName $domainname 
      -FederationBrandName $domainname -Authentication Federated -IssuerUri $issueruri -LogOffUri $logoffuri 
      -PassiveLogOnUri $passivelogonuri -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol
      
    6. If you successfully entered the commands, verify the configuration with this command:
      PS C:\Users\Administrator\Desktop> Get-MsolDomainFederationSettings -domainName t3akamai.net | Format-List *
      
      ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject
      ActiveLogOnUri                         : http://dummystsurl.microsoftonline.com/dummyurl
      DefaultInteractiveAuthenticationMethod :
      FederationBrandName                    : AkamaiT3
      IssuerUri                              : https://jp-t3.login.stage.akamai-access.com/saml/idp/sso
      LogOffUri                              : https://jp-t3.login.stage.akamai-access.com/saml/idp/slo
      MetadataExchangeUri                    :
      NextSigningCertificate                 :
      OpenIdConnectDiscoveryEndpoint         :
      PassiveLogOnUri                        : https://jp-t3.login.stage.akamai-access.com/saml/idp/sso
      PreferredAuthenticationProtocol        : Samlp
      PromptLoginBehavior                    :
      SigningCertificate                     : 
      MIIDyzCCArOgAwIBAgIQWtsG8SYkRQWGu+VNC2taYjANBgkqhkiG9w0BAQsFADBiMQ0wCwYDVQQDDA                                         
      RTb2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQBgNVBAcMCVN1bm55dmFsZTETMBEG 
      A1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwHhcNMTcxMTI5MTg1MzI3WhcNNDIxMTMwMTg1Mz
      I3WjBzMSwwKgYDVQQDEyNqcC10My5sb2dpbi5zdGFnZS5ha2FtYWktYWNjZXNzLmNvbTENMAsGA1UE
      ChMEU29oYTESMBAGA1UEBxMJU3Vubnl2YWxlMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEw  
      JVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOTc5gR/4GpJ2lTjq9bH/1qZWMXFfeV
      2hgDIp9Wpdi5koty23szajBqQ40UK6qli2/k0HAUa6clWpxEGy7tXw4HGkbsjmENnNQk24PMwJuEFG  
      QQmlxwwjk7WATQWvrbQR5im/h3Tk1N9Hc00RTUi0ni/Z3DCBLSPLICCDFgEaQOQBGrlp65SJfJmHJ1
      c0hpJh7C9EcLWqzZPGj9jYIOFdCvUVKSm3F0YZA5vz3/f5sp/pNPSBOQaMH8zYewPjbrlP65UR9vhc
      jKSnlASt3SiTUtUohOtQf40UxC+BorVPBc/h5Gp0ofrAqINhLEudrlHcJvbpIO30u7Ak4FnSiF2pEC
      AwEAAaNsMGowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwLgYDVR0RBCcwJYIjanAtdDMubG9naW
      4uc3RhZ2UuYWthbWFpLWFjY2Vzcy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0G
      CSqGSIb3DQEBCwUAA4IBAQAzFYts4Y1hU5ZmGpZRtcTEbdZxhlo1FF3NmFcCEDgaVppdG0w8S+N0h9
      Dv79KtdXmchs6QczQG3aMPx23ouX98vy1gZYeq4jXyAcHZ155JsO6cQdsWN77TeVFwCwEmQM2FHuAH
      Dnnvg58H1KG13kVUsdw2qgFvbods6niieUosU2QHMbN4CY91i+qJNhU5Sk4w1lXZm5Jy9JRMtJAZmo
      YeVfXv9m9Drp9hrAr0O4s1SLob0qOegcB3kUUeMgG0YFpbcXsoJKJTpDfAbae/HMxPBPsnoEFPSZe3
      NuBxsF7iddbdaD5gJAXx9H7dVgUveTFxlKUfy7ssp7aiMQgCRkNV
      SigningCertificateUpdateStatus         :
      SupportsMfa                            :
      
  4. Go back to the EAA application you started in Step 2.
    1. Configure the SAML Settings section under the SAML SETTINGS tab as follows:
      Field Value
      Single SignOn (ACS) URL https://login.microsoftonline.com/login.srf
      NameID Format Persistent
      NameID Attribute Custom script { "immutable-id" : [{"$" : "user.persistentId"}]}
      Default Relay State blank
      Signed Request Unchecked
      Response Encryption Unchecked
      Response Signature Algorithm SHA1
      Single Logout Binding Redirect
      Single Logout URL https://www.office.com/estslogout?ru=%2F
      Verify Single LogOut Unchecked
    2. Add an attribute statement as shown in this example:
      o365 EAA SAML settings
    3. Click Save and go to Deployment.
    4. On the DEPLOYMENT tab, click Deploy application.
  5. Verify the EAA IdP setup.
    1. Access the Identity Portal URL and log in with your AD credentials.
    2. Click on the icon for the O365 application.
    3. A new tab appears and provides you with a session without requesting your login credentials.
    4. When you log out from the Identity Portal, the session with the O365 application is also terminated.
  6. Verify the O365 setup.
    1. Access O365 at portal.office.com and enter your username (for example, user1@t3akamai.net).
    2. You are redirected to the EAA login page.
    3. Log in to access the O365 application.

Next steps