Note : The information contained on this page does not create a joint venture, partnership, agency or other form of association, or an express or implied license grant by either party to the other under any patent, trademark, copyright, trade secret or other intellectual property right.

Office 365

miniOrange provides secure access to Office 365 for enterprises and full control over access of applications, Single Sign On (SSO) into your Office 365 Account with one set of login credentials, eliminating user-managed passwords and the risk of phishing.

• Single Sign On

  Office 365 refers to subscription plans that include access to Office applications plus other productivity services that are enabled over the Internet (cloud services), such as Lync web conferencing and Exchange Online hosted email for business, and additional online storage with OneDrive and Skype world minutes for home. miniOrange Single Sign On (SSO) Solution provides easy and seamless access to all enterprise resources with one set of credentials, miniOrange provides Single Sign On (SSO) to any type of devices or applications whether they are in the cloud or on-premise. With Single Sign-On, Office 365 can put its existing trusted IdP in charge of the authentication process.

• Strong Authentication

  Secure your Office 365 app from password thefts using multi factor authentication methods with 15+ authentication types provided by miniOrange. Our multi factor authentication methods prevent unauthorized users from accessing information and resources having password alone as authentication factor. Enabling second factor authentication for Office 365 protects you against password thefts.

• Fraud Prevention

  Check your Office 365 app from Fraud Prevention. miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user.

miniOrange supports both IdP (Identity Provider) and SP (Service Provider) initiated Single Sign-on (SSO)

• IdP Initiated Single Sign On (SSO)

  In IdP Initiated Login, SAML request is initiated from miniOrange IdP.

• Enduser first authenticates through miniOrange Idp by login in to miniOrange Self Service Console.
• The Enduser will be redirected to their Office 365 account by clicking the Office 365 icon on the Enduser Dashboard - there is no need to login again.

• SP Initiated Single Sign On (SSO)

  In SP Initiated Login, SAML request is initiated by Office 365.

• An Enduser tries to access their Office 365 domain.
• They will be redirected to miniOrange Self Service Console.
• Here they can enter the miniOrange login credentials and login to their Office 365 Account.

Pre-requisites

1: Prepare your Active Directory Domain

• Office 365 SSO requires an Internet-resolvable domain name to use as the suffix in each user’s username. Don’t worry, though, if your Active Directory domain name doesn’t meet this requirement. Most of them don’t. You can make things work by giving users an alternate User Principal Name (UPN) that matches any public domain name you own.
  
• Let’s assume your public domain name is mydomain.com, but your inside-the-firewall Active Directory domain is mydomain.local. You can’t resolve mydomain.local via Internet servers, therefore you won’t be able to with Office 365 DNS servers. That said, you can use federation to set each user’s UPN to a publicly resolvable domain name and let them log in as username@mydomain.com.
  
• While each user’s UPN might look like an e-mail address, it has nothing to do with SMTP or Session Initiation Protocol. This change merely maps your users’ Active Directory accounts with an external address that Office 365 can understand.
  
• Launch Active Directory Domains and Trusts and view the Properties of its top-level node. In the box titled Alternative UPN suffixes, enter your publicly resolvable domain name and click Add. Then launch Active Directory Users and Computers and view the Properties of a user account. Under its Account tab, you can now set the User logon name to that publicly resolvable domain name. Do this for each Office 365-enabled user. They’ll be using this as their Office 365 username in a minute.
  
  

2: Prepare Your Server and Install ADFS

• You can install ADFS on a domain controller or another server. You’ll first need to configure a few prerequisites. The following steps assume you’re installing to Windows Server 2008 R2.
  
• Using Server Manager, install the IIS role and the Microsoft .NET Framework 3.5.1. Then purchase and install a server-authentication certificate from a public certificate authority. Make sure you match the certificate’s subject name with the Fully Qualified Domain Name of the server. Launch IIS Manager and import that certificate to the default Web site.
  
• Next, download ADFS 2.0. Accept the installation defaults, selecting Federation server when prompted. The installer should automatically install any required hotfixes, although you might need to install ADFS 2.0 Update Rollup 2.
  
• After installing and patching ADFS, launch ADFS 2.0 Management from Administrative Tools. On the Overview page, start the ADFS Federation Server Configuration Wizard. Create a new Federation Service in a Stand-Alone deployment, and verify the SSL certificate it’s using matches the one you’ve imported into the IIS default Web site. The wizard will also prompt for a service account. Supply it with an Active Directory account whose password is set to never expire.
  
• When the wizard concludes, you’ll see a message noting that the Required configuration is incomplete and you need to add a trusted relying party. You’ll do this in a minute, so you can safely ignore this message.
  
• Test your installation by navigating to https://[serverFQDN]/FederationMetadata/2007-06/FederationMetadata.xml in your Web browser. Click through any certificate errors you see. You’re verifying that IIS is successfully serving up XML content.
  
  

3: Add Your UPN Domain to Office 365

• If the publicly resolvable domain name you choose isn’t already linked to Office 365, do so via the Microsoft Online Services Portal. Click Domains in the Admin console and then select Add a domain. The wizard will prompt you for the domain name, and then give you one of two options for authenticating ownership. You’ll need to add either a TXT or MX record to the publicly accessible DNS server hosting the domain.
  
• It can take anywhere from 15 minutes to 72 hours for the update to fully propagate, so it might take a while before you can complete the validation process. Validation affirms to Office 365 that you own the domain name your clients will later use to authenticate. You don’t need to have any servers within this domain for federation to function. All you need to complete this step is the domain itself that you can resolve from the Internet.
  
  

Follow the Step-by-Step Guide given below for Office 365 Single Sign On (SSO)

Step 1: Configure Single Sign On (SSO) Settings

• Login to miniOrange Admin Console.
• Go to Apps >> Manage Apps . Click Configure Apps button.
• Click on SAML tab. Select Office365 and click Add App button.



• Make sure the SP Entity ID or Issuer is in the format: https://login.microsoftonline.com/login.srf.
• Make sure the ACS URL is: https://login.microsoftonline.com/login.srf.
• Add an attribute with attribute name as IDPEmail and select attribute value as E-mail Address.
• Click on Save to configure Office365.
• Click on Download Certificate link to download the certificate which will be required later.

Step 2: Configure Azure AD

• Login to Azure AD Virtual Machine.
• Copy the certificate you downloaded from the miniOrange Admin Console. Ensure that it is set as the Primary Token Signing Certificate for ADFS



• Open Powershell.
• Execute the following Powershell commands:
• $cred = Get-Credential. Enter Azure Administrator credentials
• Connect-MsolService -Credential $cred
• Note: Replace ##DOMAIN NAME## by your Active Directory Domain Name. Ensure that the the domain is not the default domain name as the default one cannot be set as the federated domain
  
  Set-MsolDomainAuthentication -Authentication Federated -DomainName ##DOMAIN NAME## -IssuerUri "https://auth.miniorange.com/moas" -LogOffUri "https://auth.miniorange.com/moas/idp/samllogout" -PassiveLogOnUri "https://auth.miniorange.com/moas/idp/samlsso" -SigningCertificate "MIICnjCCAgegAwIBAgIJAK3CyOFtrUj+MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUFVORTETMBEGA1UECgwKbWluaU9yYW5nZTETMBEGA1UECwwKbWluaU9yYW5nZTETMBEGA1UEAwwKbWluaU9yYW5nZTAeFw0xNTAyMTEwNDQ1NDdaFw0xODAyMTAwNDQ1NDdaMGgxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUFVORTETMBEGA1UECgwKbWluaU9yYW5nZTETMBEGA1UECwwKbWluaU9yYW5nZTETMBEGA1UEAwwKbWluaU9yYW5nZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx+WMW0HNXVL4VB14PklXDo6rJlK3W4XHsxD7rBsG8e2LgbfjEjC0b+k2/5ODuP9OvVQyHaZhMPWbS2z5S6cxCIxPfAJC5pCn9EVVoSDbz4C1Biyg9NJAUYp7oF+8JfKByLeWCOPRb9/G8/Bq5xQRAf++CH/hSSsrNEQm5h+NnhcCAwEAAaNQME4wHQYDVR0OBBYEFFq3KKnNFb1777slDNKfn30gXcvjMB8GA1UdIwQYMBaAFFq3KKnNFb1777slDNKfn30gXcvjMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACP2t4JNkGh2ElJltQ3FSdWWHsvhGpGnpAdltdC8vW/Sf3a97IDeixr5GcQVfUfyYE+nMQU0g2NJLYG1+hb13J58eQ9NhU8PgkSsJWaskST1KTNRu+30K3Dm8TOhZShWEvYBUzSDjcSJFUguXeoK/gx4wBuA8WEaKb9PC6xvac/4=" -PreferredAuthenticationProtocol SAMLP

Step 3: Create a policy for Office 365

• Login to miniOrange Admin Console.
• Go to Policies >> App Authentication Policy.
• Add a new policy for Office 365.
1. Select Office365 from Application dropdown.
2. Select a Group Name from dropdown - the group for which you want to add Office365 policy.
3. Give a policy name for Office365 in Policy Name field.
4. Select the First Factor Type for authentication.
5. Enable Second Factor for authentication if required.
6. Click on Save button to add policy for Office365 Single Sign On (SSO).



• Now click on Onboard users into our system from View Policy Tab.

Step 4: Onboard users into our system.

• Download sample csv format from our console and create a CSV file containing your users in this format.



• Upload your CSV in our console via Bulk Upload.
• After uploading the CSV file successfully, you will see a success message.
• From Users/Groups menu, select Manage Users/Groups and go to OnBoarding Status. Select users to send activation mail and click on send activation mail. An activation mail will be sent to the selected users.
• Add properties of Office 365 user(User Principal Name and Immutable ID). For this, go to Upload User Details tab and select Office 365 Integration.
• To obtain CSV file of user properties, execute the following Powershell command: Get-MsolUser | Where-Object { $_.isLicensed -eq "TRUE" } | Select-Object UserPrincipalName, ImmutableID | Export-Csv filename.csv. Upload the CSV file

Step 5: Register users into our system (End Users)

• Sign In to your mail and click on registration link that is valid only for 5 days. You will be redirected to our registration page.
• Configure your basic details.



• Configure any strong authentication method.



• Configure KBA (Security Questions) as your fallback method, in case you lost your phone this will get invoked and save your details.



• After successful registration, you will see a registration successful message.

Step 6: Now sign in to your Office 365 account with miniOrange IdP by either of the two steps:

1. Using SP initiated login :-

1. Login to your Office 365 account
2. Go to Office 365 Login
3. Enter only the Email. Now you will be redirected to miniOrange IdP Sign On Page.




4. Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Office 365 account.




2. Using IdP initiated login :-

1. Login to your miniOrange Self Service Console as an End User and click on the Office 365 icon on your Dashboard.

Using Two Factor Authentication for Office 365

The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.

Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, track who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.

Your choice of second factor

miniOrange authentication service has 15+ authentication methods.

• One time passcodes (OTP) over SMS
• OTP over Email
• OTP over SMS and Email
• Out of Band SMS
• Out of Band Email
• Soft Token
• Push Notification
• USB based Hardware token
• Security Questions
• Mobile Authentication
• Voice Authentication (Biometrics)
• Phone Verification
• Device Identification
• Location
• Time of Access
• User Behavior

You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.

For further details refer :
https://support.office.com/en-us/article/Office-365-integration-with-on-premises-environments-263faf8d-aa21-428b-aed3-2021837a4b65
http://blogs.technet.com/b/canitpro/archive/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365.aspx

Business trial for free

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Office 365 Single Sign On (SSO).