This procedure describes how to set up the O365 application as the service
provider (SP) and Enterprise Application Access (EAA) as the identity provider
(IdP).
Complete the following steps to configure
O365 as the SP and EAA as the IdP.
How to
-
Set up a domain that you have
admin access to.
-
Buy and create a domain
using a third-party provider such as godaddy.com (for example,
t3akamai.net).
-
Create an O365 admin
developer account at https://developer.microsoft.com/en-us/microsoft-365/dev-program (for example,
jdoet3akamai.onmicrosoft.com)
-
Go to the O365 admin
portal, https://portal.office.com/adminportal#/homepage. Click
Admin
Home>Domains>Add a domain to add your domain.
-
Complete the setup
wizard and log in as you domain administrator (for example, the godaddy
portal). The wizard will automatically update the DNS settings on your
domain. For example:
-
On the O365 admin
portal, go to Home>Domains and make sure your domain is not set to
he default. If it is set as the default, change the default to be
*.onmicrosoft.com. For example:
-
Have the EAA account administrator request access to the SaaS
application feature.
-
Install the Windows
server and set it as the domain controller for your domain.
-
Create a new application in EAA. See Configure EAA as the IdP for a
custom SaaS application to do so. Do not deploy the application at
this time.
-
Under the SAML SETTINGS
tab, copy the entity ID, single sign on (ACS)
URL, and Signing
Certificate information from the IdP info section. You
need this data to configure the O365 SP.
-
Do not deploy the application at this time. You need to fill out the
SAML settings fields with O365 data before you can deploy.
-
Configure Microsoft Azure as the SP.
-
Download and
install Microsoft Azure Active Directory Connect on the Active Directory
(AD) server.
-
Click Express Settings and complete the setup
wizard as shown in this example. Click Connect to Azure AD and enter
your username and password:

Click
Connect to AD DS and enter your username and password,
and then click
Configure to complete the configuration.

-
At this point, you should see the users in AD (for example, user1,
user2) synced to the O365 admin portal.
-
Download and install the Azure
Active Directory PowerShell on the AD server. (As an alternate, you can
use the GDrive link to get the file.)
-
Open the Azure AD PowerShell console and run the commands shown in the
following code block with the following changes:
- Replace all occurrences of t3akamai.net
with your domain name,
- Replace
jp-t3.login.stage.akamai-access.com with the URL found in the
EAA IdP configuration on the EAA
portal,
- Replace the MIIDyzCCArOgA... certificate
with the Signing certificate you copied from then EAA admin
portal in Step 2a.
Note: Make sure to
remove white spaces/line breaks in the certificate. Microsoft
PowerShell does not work well with spaces in certificates.
PS C:\Users\Administrator\Desktop> Connect-MsolService
PS C:\Users\Administrator\Desktop> Get-MsolDomainFederationSettings -domainName t3akamai.net | Format-List *
PS C:\Users\Administrator\Desktop> Set-MsolDomainAuthentication -DomainName t3akamai.net -Authentication Managed
PS C:\Users\Administrator\Desktop> $domainname = "t3akamai.net"
PS C:\Users\Administrator\Desktop> $logoffuri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/slo"
PS C:\Users\Administrator\Desktop> $passivelogonuri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/sso"
PS C:\Users\Administrator\Desktop> $cert = "MIIDyzCCArOgAwIBAgIQWtsG8SYkRQWGu+
MIID3zCCAsegAwIBAgIQQChS3L+pSuiLa1UzTamz9DANBgkqhkiG9w0BAQsFADBi
MQ0wCwYDVQQDDARTb2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQ
BgNVBAcMCVN1bm55dmFsZTETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC
VVMwHhcNMTgwNjI3MTMyNzA0WhcNNDMwNjI4MTMyNzA0WjB9MTYwNAYDVQQDEy10
ZXN0LWlkcC1jdXN0b20ubG9naW4uc3RhZ2UuYWthbWFpLWFjY2Vzcy5jb20xDTAL
BgNVBAoTBFNvaGExEjAQBgNVBAcTCVN1bm55dmFsZTETMBEGA1UECBMKQ2FsaWZv
cm5pYTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDG7ON1hXVr7VGNP9qJSF0ymy7RLNlIAPdXNTzvD6/XD5rELUdBSm0VwKyfZzw+
PQgOTwdlcaPBHGXN0i/EQVcorkLraRwTRJZgSW4Vqzq5Crh14tqdHxj1P7ZfndcZ
VTP4cPBdvOHNrcQEi1GhtUL8N1ZKUim5DKXkIcHJo5Yzjdu9V9PRz82Xt63EdU2w
zYUYPX2u+Zu+MgQW/l1P67G39IV8K3kdeAchP9E9eS1twW3TkQAlrA62rierr5PI
QEffmHMh8IFeuCNc7F/WCqlA6oFxfNCCT3K+DY16rqUUJaaVTEcXcfAy+6bizAHm
eOanF27ZMF4qtc5/BGADv5ijAgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwCwYDVR0P
BAQDAgeAMDgGA1UdEQQxMC+CLXRlc3QtaWRwLWN1c3RvbS5sb2dpbi5zdGFnZS5h
a2FtYWktYWNjZXNzLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
DQYJKoZIhvcNAQELBQADggEBAA+8f0QBA1jFYANWN1IROKo3tom/ph4UWENOK2a/
4q+0oglrLl+NTir5S445/wayLleAY4N6VXpv2iE3aqX5oGZ4xKLRnJO/rKTYef20
U+2ZBSSixkRVYE5QVtWpl4B/GlJh0zQ22Lokdtvj2+CFkRRZCFW2ZJs7kiAqcxtF
2GKke9kyextIs2aaqijfpiJvHEPjKqp4cSs1Q2NUo0qTgptajYNyVKPGsLwdqq8m
5F4xJfUHehUjHbv9y3Jpdfom1V7gYoAcfWuruK8FkDA0sXUrDzK3QufAWcj4XHli
bOk96K7LGRomG9amW2JbSxHiE1EGqEScq9GKWxV9FDPS79Y="
PS C:\Users\Administrator\Desktop> $issueruri = "https://jp-t3.login.stage.akamai-access.com/saml/idp/sso"
PS C:\Users\Administrator\Desktop> $protocol = "SAMLP"
PS C:\Users\Administrator\Desktop> Set-MsolDomainAuthentication -DomainName $domainname
-FederationBrandName $domainname -Authentication Federated -IssuerUri $issueruri -LogOffUri $logoffuri
-PassiveLogOnUri $passivelogonuri -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol
-
If you successfully entered the commands, verify the configuration with
this command:
PS C:\Users\Administrator\Desktop> Get-MsolDomainFederationSettings -domainName t3akamai.net | Format-List *
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri : http://dummystsurl.microsoftonline.com/dummyurl
DefaultInteractiveAuthenticationMethod :
FederationBrandName : AkamaiT3
IssuerUri : https://jp-t3.login.stage.akamai-access.com/saml/idp/sso
LogOffUri : https://jp-t3.login.stage.akamai-access.com/saml/idp/slo
MetadataExchangeUri :
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://jp-t3.login.stage.akamai-access.com/saml/idp/sso
PreferredAuthenticationProtocol : Samlp
PromptLoginBehavior :
SigningCertificate :
MIIDyzCCArOgAwIBAgIQWtsG8SYkRQWGu+VNC2taYjANBgkqhkiG9w0BAQsFADBiMQ0wCwYDVQQDDA
RTb2hhMRswGQYDVQQKDBJTb2hhIFN5c3RlbXMsIEluYy4xEjAQBgNVBAcMCVN1bm55dmFsZTETMBEG
A1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwHhcNMTcxMTI5MTg1MzI3WhcNNDIxMTMwMTg1Mz
I3WjBzMSwwKgYDVQQDEyNqcC10My5sb2dpbi5zdGFnZS5ha2FtYWktYWNjZXNzLmNvbTENMAsGA1UE
ChMEU29oYTESMBAGA1UEBxMJU3Vubnl2YWxlMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEw
JVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOTc5gR/4GpJ2lTjq9bH/1qZWMXFfeV
2hgDIp9Wpdi5koty23szajBqQ40UK6qli2/k0HAUa6clWpxEGy7tXw4HGkbsjmENnNQk24PMwJuEFG
QQmlxwwjk7WATQWvrbQR5im/h3Tk1N9Hc00RTUi0ni/Z3DCBLSPLICCDFgEaQOQBGrlp65SJfJmHJ1
c0hpJh7C9EcLWqzZPGj9jYIOFdCvUVKSm3F0YZA5vz3/f5sp/pNPSBOQaMH8zYewPjbrlP65UR9vhc
jKSnlASt3SiTUtUohOtQf40UxC+BorVPBc/h5Gp0ofrAqINhLEudrlHcJvbpIO30u7Ak4FnSiF2pEC
AwEAAaNsMGowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwLgYDVR0RBCcwJYIjanAtdDMubG9naW
4uc3RhZ2UuYWthbWFpLWFjY2Vzcy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0G
CSqGSIb3DQEBCwUAA4IBAQAzFYts4Y1hU5ZmGpZRtcTEbdZxhlo1FF3NmFcCEDgaVppdG0w8S+N0h9
Dv79KtdXmchs6QczQG3aMPx23ouX98vy1gZYeq4jXyAcHZ155JsO6cQdsWN77TeVFwCwEmQM2FHuAH
Dnnvg58H1KG13kVUsdw2qgFvbods6niieUosU2QHMbN4CY91i+qJNhU5Sk4w1lXZm5Jy9JRMtJAZmo
YeVfXv9m9Drp9hrAr0O4s1SLob0qOegcB3kUUeMgG0YFpbcXsoJKJTpDfAbae/HMxPBPsnoEFPSZe3
NuBxsF7iddbdaD5gJAXx9H7dVgUveTFxlKUfy7ssp7aiMQgCRkNV
SigningCertificateUpdateStatus :
SupportsMfa :
-
Go back to the EAA
application you started in Step 2.
-
Configure the SAML
Settings section under the SAML SETTINGS tab as follows:
Field |
Value |
Single SignOn (ACS) URL |
https://login.microsoftonline.com/login.srf
|
NameID Format |
Persistent |
NameID Attribute |
Custom script { "immutable-id" : [{"$" :
"user.persistentId"}]} |
Default Relay State |
blank |
Signed Request |
Unchecked |
Response Encryption |
Unchecked |
Response Signature Algorithm |
SHA1 |
Single Logout Binding |
Redirect |
Single Logout URL |
https://www.office.com/estslogout?ru=%2F |
Verify Single LogOut |
Unchecked |
-
Add an attribute
statement as shown in this example:
-
Click Save and go to
Deployment.
-
On the DEPLOYMENT tab,
click Deploy
application.
-
Verify the EAA
IdP setup.
-
Access the Identity
Portal URL and log in with your AD credentials.
-
Click on the icon for
the O365 application.
-
A new tab appears and
provides you with a session without requesting your login
credentials.
-
When you log out from
the Identity Portal, the session with the O365 application is also
terminated.
-
Verify the O365 setup.
-
Access O365 at portal.office.com and enter your username (for example,
user1@t3akamai.net).
-
You are redirected to
the EAA login
page.
-
Log in to access the O365 application.
Next steps
For more information, see: