Configuring SAML SSO with Microsoft 365 and PingFederate

Learn how to enable Microsoft 365 sign-on from a PingFederate URL (IdP-initiated sign-on) and direct Microsoft 365 sign-on using PingFederate (SP-initiated sign-on).

Before you begin

Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
Make sure Microsoft 365 has a valid, non-default domain and is populated with at least one AD synced user in that domain to test access.
You must have administrative access to PingFederate and Microsoft 365.
You must have access to run the Microsoft Azure Active Directory Module for Windows PowerShell.

Create a PingFederate SP connection for Microsoft 365

Download the Microsoft 365 SAML metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.
Sign on to the PingFederate administrative console.
Create an SP connection for Microsoft 365 in Ping Federate:
1. Configure using Browser SSO profile SAML 2.0.
2. Import the metadata from the downloaded Microsoft 365 metadata file.
3. Enable the following SAML Profiles:
  - IdP-Initiated SSO
  - SP-Initiated SSO
  - SP Initiated SLO
4. In Assertion Creation: Attribute Contract, extend the contract to add the attributes guid and SAML_NAME_FORMAT.
5. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment map the following:
  - SAML_SUBJECT to guid (guid should map to your attribute holding the Microsoft 365 user objectID and be in Base64 binary format)
  - SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
6. In Protocol Settings: Allowable SAML Bindings, enable POST and REDIRECT.
7. In Protocol Settings: Signature Policy, select Always Sign Assertion.
8. In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
Save the configuration.
Export the signing certificate.
Export and then open the metadata file and copy the values for the following:
- entityID
- Location entry for SSO (https://your-value/idp/SSO.saml2)
- Location entry for SLO (https://your-value/idp/SLO.saml2)

Add the PingFederate connection to Microsoft 365

Open an elevated Windows PowerShell Command Prompt window on any internet-connected computer and type:
```
$cred = Get-Credential
```
Enter the username and password of your Microsoft 365 administrator account in the pop-up.
Connect with MsolService.
```
Connect-MsolService -Credential $cred
```
List your domains.
```
Get-MsolDomain
```
Select the domain for which you would like to enable SSO.
```
$dom = "your-O365-domain"
```
Set the uri parameter to the PingFederate entityID value.
```
$uri ="your-entityID"
```
Set the url parameter to the PingFederate Location for SSO value.
```
$url="your-Passive-Log-On-Uri"
```
Set the logouturl parameter to the PingFederate Location for SLO value.
```
$logouturl="your-Log-Off-Uri"
```
Open the downloaded signing certificate in Notepad, copy the encoded contents, and paste them into the command below to set the certificate parameter.
```
$cert="your-certificate-contents"
```

Run the following command to setup SAML SSO for your domain.

Set-MsolDomainAuthentication `
-DomainName $dom `
-FederationBrandName $dom `
-Authentication Federated `
-PassiveLogOnUri $url `
-SigningCertificate $cert `
-IssuerUri $uri `
-LogOffUri $logouturl `
-PreferredAuthenticationProtocol SAMLP

Run the following command to see the completed SSO settings.

Get-MSolDomainFederationSettings -DomainName "your-O365-domain" | Format-List *

Test the PingFederate IdP-initiated SSO integration

Go to the PingFederate SSO application endpoint for the Microsoft 365 SP connection.
Complete PingFederate authentication.

You’re redirected to your Microsoft 365 domain.

Test the PingFederate SP-initiated SSO integration

Go to https://portal.office.com.
Enter your email address.
After you’re redirected to PingFederate, enter your PingFederate username and password.

You’re redirected back to Microsoft 365.

Configuration Guides