2018-01-26 10:35:45 +01:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:applications:office365< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "index,follow" / >
< meta name = "keywords" content = "documentation,2.0,applications,office365" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "../lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "office365.html" / >
< link rel = "contents" href = "office365.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "../lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s : o f f i c e 3 6 5 " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "../lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2018-01-26 10:35:45 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2018-01-26 10:35:45 +01:00
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration" > Configuration< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#office_3651" > Office 365< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#lemonldapng" > LemonLDAP::NG< / a > < / div > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "office_365" > Office 365< / h1 >
< div class = "level1" >
< p >
< img src = "logo_office_365.png" class = "mediacenter" alt = "" / >
< / p >
< / div >
<!-- EDIT1 SECTION "Office 365" [1 - 74] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< a href = "https://en.wikipedia.org/wiki/Office_365" class = "urlextern" title = "https://en.wikipedia.org/wiki/Office_365" rel = "nofollow" > Office 365< / a > provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on < a href = "https://login.microsoftonline.com/" class = "urlextern" title = "https://login.microsoftonline.com/" rel = "nofollow" > https://login.microsoftonline.com/< / a > and can be forwarded to an < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Identity Provider.
< / p >
< / div >
<!-- EDIT2 SECTION "Presentation" [75 - 346] -->
< h2 class = "sectionedit3" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT3 SECTION "Configuration" [347 - 373] -->
< h3 class = "sectionedit4" id = "office_3651" > Office 365< / h3 >
< div class = "level3" >
< p >
You first need to install AzureAD PowerShell to be able to run administrative commands.
< / p >
< p >
Then run this script:
< / p >
< pre class = "code bash" > < span class = "re1" > $dom< / span > = < span class = "st0" > " mycompany.com" < / span >
< span class = "re1" > $brand< / span > = < span class = "st0" > " My Company" < / span >
< span class = "re1" > $url< / span > = < span class = "st0" > " https://auth.example.com/saml/singleSignOn" < / span >
< span class = "re1" > $uri< / span > = < span class = "st0" > " https://auth.example.com/saml/metadata" < / span >
< span class = "re1" > $logouturl< / span > = < span class = "st0" > " https://auth.example.com/?logout=1" < / span >
< span class = "re1" > $cert< / span > = < span class = "st0" > " xxxxxxxxxxxxxxxxxxx" < / span >
Set-MsolDomainAuthentication – DomainName < span class = "re1" > $dom< / span > < span class = "re5" > -FederationBrandName< / span > < span class = "re1" > $brand< / span > < span class = "re5" > -Authentication< / span > Federated < span class = "re5" > -PassiveLogOnUri< / span > < span class = "re1" > $url< / span > < span class = "re5" > -SigningCertificate< / span > < span class = "re1" > $cert< / span > < span class = "re5" > -IssuerUri< / span > < span class = "re1" > $uri< / span > < span class = "re5" > -LogOffUri< / span > < span class = "re1" > $logouturl< / span > < span class = "re5" > -PreferredAuthenticationProtocol< / span > SAMLP< / pre >
< p >
Where parameters are:
< / p >
< ul >
< li class = "level1" > < div class = "li" > dom: Your Office 365 domain< / div >
< / li >
< li class = "level1" > < div class = "li" > brand: Simple label< / div >
< / li >
< li class = "level1" > < div class = "li" > url: The < abbr title = "Security Assertion Markup Language" > SAML< / abbr > < abbr title = "Single Sign On" > SSO< / abbr > endpoint< / div >
< / li >
< li class = "level1" > < div class = "li" > uri: The < abbr title = "Security Assertion Markup Language" > SAML< / abbr > metadata endpoint< / div >
< / li >
< li class = "level1" > < div class = "li" > logouturl: Logout < abbr title = "Uniform Resource Locator" > URL< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > cert: The < abbr title = "Security Assertion Markup Language" > SAML< / abbr > certificate containing the signature public key< / div >
< / li >
< / ul >
< p >
If you have several Office365 domains, you can' t use the same URLs for each domains. To be able to have a single < abbr title = "Security Assertion Markup Language" > SAML< / abbr > IDP for several domains, you must add the ' domain' GET parameters at the end of < abbr title = "Single Sign On" > SSO< / abbr > endpoint and metadata URLs, for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > domain ' mycompany.com' :< / div >
< ul >
< li class = "level2" > < div class = "li" > url: < a href = "https://auth.example.com/saml/singleSignOn?domain=mycompany" class = "urlextern" title = "https://auth.example.com/saml/singleSignOn?domain=mycompany" rel = "nofollow" > https://auth.example.com/saml/singleSignOn?domain=mycompany< / a > < / div >
< / li >
< li class = "level2" > < div class = "li" > uri: < a href = "https://auth.example.com/saml/metadata?domain=mycompany" class = "urlextern" title = "https://auth.example.com/saml/metadata?domain=mycompany" rel = "nofollow" > https://auth.example.com/saml/metadata?domain=mycompany< / a > < / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > domain ' myfirm.com' :< / div >
< ul >
< li class = "level2" > < div class = "li" > url: < a href = "https://auth.example.com/saml/singleSignOn?domain=myfirm" class = "urlextern" title = "https://auth.example.com/saml/singleSignOn?domain=myfirm" rel = "nofollow" > https://auth.example.com/saml/singleSignOn?domain=myfirm< / a > < / div >
< / li >
< li class = "level2" > < div class = "li" > uri: < a href = "https://auth.example.com/saml/metadata?domain=myfirm" class = "urlextern" title = "https://auth.example.com/saml/metadata?domain=myfirm" rel = "nofollow" > https://auth.example.com/saml/metadata?domain=myfirm< / a > < / div >
< / li >
< / ul >
< / li >
< / ul >
< / div >
<!-- EDIT4 SECTION "Office 365" [374 - 1788] -->
< h3 class = "sectionedit5" id = "lemonldapng" > LemonLDAP::NG< / h3 >
< div class = "level3" >
< p >
Create a new < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Service Provider and import Microsoft metadata from < a href = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml" class = "urlextern" title = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml" rel = "nofollow" > https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml< / a >
< / p >
< p >
Set the NameID value to persistent, or any immutable value for the user.
< / p >
< p >
Create a < abbr title = "Security Assertion Markup Language" > SAML< / abbr > attribute named IDPEmail which contains the user principal name (UPN).
< / p >
< / div >
<!-- EDIT5 SECTION "LemonLDAP::NG" [1789 - ] --> < / div >
< / body >
< / html >