Configuration Guides

Configuring SAML SSO with Microsoft 365 and PingOne for Enterprise

Learn how to enable Microsoft 365 sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct Microsoft 365 sign-on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access. Learn more in Connecting to an identity repository in the PingOne for Enterprise documentation.

  • Make sure Microsoft 365 has a valid, non-default domain and is populated with at least one AD synced user in that domain to test access.

  • You must have administrative access to PingOne for Enterprise and Microsoft 365.

  • You must have access to run the Microsoft Azure Active Directory Module for Windows PowerShell.

Obtain the PingOne for Enterprise values for the Microsoft 365 application

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. Search for Microsoft 365.

  3. Expand the Microsoft 365 entry and click the Setup icon.

    Screen capture of PingOne for Enterprise Application Catalog with Microsoft 365 listed as the Application Name and the expansion arrow highlighted in red.

  4. Click Continue to Next Step.

  5. Copy the Issuer URI, Passive Log On Uri, and Log Off Uri values.

  6. Download the signing certificate.

    Screen capture of the PingOne for Enterprise Microsoft 365 Federation Settings with the fields for Issuer URI, Passive Log On URI, Log Off URI, and Signing Certificate Download hyperlink highlighted in red.

Add the PingOne for Enterprise IdP Connection to Microsoft 365

  1. Open an elevated Windows PowerShell Command Prompt window on any internet-connected computer and type:

    $cred = Get-Credential

  2. Enter the username and password of your Microsoft 365 administrator account in the pop-up.

    Screen capture of Windows Powershell credential request prompting for username and password.

  3. Connect with MsolService.

    Connect-MsolService -Credential $cred

  4. List your domains.

    Get-MsolDomain

  5. Enter the domain for which you would like to enable SSO.

    $dom = "your-O365-domain"

  6. Set the uri parameter to the PingOne for Enterprise Issuer URI value.

    $uri ="your-Issuer-URI"

  7. Set the url parameter to the PingOne for Enterprise Passive Log On Uri value.

    $url="your-Passive-Log-On-Uri"

  8. Set the logouturl parameter to the PingOne for Enterprise Log Off Uri value.

    $logouturl="your-Log-Off-Uri"

  9. Open the downloaded signing certificate in Notepad, copy the encoded contents, and paste them into the command below to set the certificate parameter.

    $cert=your-certificate-contents

  10. Run the following command to set up SAML SSO for your domain.

    Set-MsolDomainAuthentication `
-DomainName $dom `
-FederationBrandName $dom `
-Authentication Federated `
-PassiveLogOnUri $url `
-SigningCertificate $cert `
-IssuerUri $uri `
-LogOffUri $logouturl `
-PreferredAuthenticationProtocol SAMLP

  11. Run the following command to see the completed SSO settings.

    Get-MSolDomainFederationSettings -DomainName "your-O365-domain" | Format-List *

Complete the Microsoft 365 setup in PingOne for Enterprise

  1. Continue editing the Microsoft 365 entry in PingOne for Enterprise.

    If the session has timed out, complete the initial steps to the point of clicking Setup.

  2. Click Continue to Next Step until you reach the Attribute mapping page.

  3. Map subject to SAML_SUBJECT.

  4. Map guid to your attribute containing the Microsoft 365 user objectGUID.

    Screen capture of PingOne for Enterprise Attribute Mapping section with the SAML_SUBJECT and myGUID fields in the Identity Bridge Attribute or Literal Value column and subject * and guid * rows highlighted in red.

  5. Click Continue to Next Step twice.

  6. Click Add for all user groups that should have access to Microsoft 365.

    Screen capture of PingOne for Enterprise Group Access page with Users@directory and Domain Administrators@directory listed in the Group Name column.

  7. Click Continue to Next Step.

  8. Click Finish.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with Microsoft 365 access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete PingOne for Enterprise authentication.

    You’re redirected to your Microsoft 365 domain.

    Screen capture of PingOne for Enterprise login screen.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to https://portal.office.com.

  2. Enter your email address.

  3. After you’re redirected to PingOne for Enterprise, enter your PingOne for Enterprise username and password.

    Screen capture of PingOne for Enterprise login screen.

    You’re redirected back to Microsoft 365.