Office 365

Configure an SSO connection

Steps

  1. Create a new SP connection or select an existing SP connection from the SP Configuration menu.

  2. On the Connection Template screen, select Use a template for this connection and choose Office 365 from the Connection Template drop-down list.

    You will be asked to provide the federationmetadata.xml file you obtained earlier in Download Office 365 SAML 2.0 metadata file.

    Screen capture of sp connection.

    If this selection is not available, verify the connector installation and restart PingFederate.

  3. On the Connection Type screen, ensure that the Browser SSO Profiles checkbox is selected and click Next.

    If outbound provisioning will also be used, select Outbound Provisioning profile as well. The screenshot below shows an example where both are selected.
    Screen capture of sp connection connection type.

  4. On the Connection Options screen, ensure Browser SSO is selected and click Next.

    Screen capture of connection options

  5. On the General Info screen, ensure that the Partner’s Entity ID (Connection ID) and the Connection Name are accurate. Change details if required and click Next.

    By default, some fields are pre-populated as a result of using the Office 365 Connector template.
    Screen capture of general info

  6. On the Browser SSO screen, click Configure Browser SSO.

  7. On the Assertion Creation screen, click Configure Assertion Creation.

  8. On the IdP Adapter Mapping screen, click Map New Adapter Instance. If an HTML form adapter form already exists, select it from the drop down list and click Next. Otherwise, perform the following steps to create a new HTML form adapter:

    1. If an LDAP instance has not been configured in PingFederate, follow the instructions in Configure an LDAP connection.

    2. If a credential validator has not already been created, follow the instructions in Configure the LDAP Username Password Credential Validator.

    3. Complete the creation of the HTML form adapter using the instructions in Configure the HTML Form Adapter.

    4. Once the above are completed, return to the IdP Adapter Mapping screen and click Next.

  9. On the Mapping Method screen, select Retrieve additional attributes from a data store—​includes options to use alternate data stores and/or a failsafe mapping. Click Next.

    Screen capture of adapter contract

  10. Click Add Attribute Source.

  11. Fill in the Attribute Source Description field with an identifier of your choosing. Select the desired source datastore in the Active Data Store drop down list, then click Next.

  12. On the LDAP Directory Search screen, enter the following values:

    • Base DN: where the users are found in the source datastore

    • Search Scope: select the appropriate value

    • Attributes to return from search:

      • objectGUID

      • userPrincipalName

        Screen capture of LDAP directory search.

  13. Click Next.

  14. If you are in the LDAP Binary Attribute Encoding Types screen, confirm objectGUID is set to Base64, click Next.

    If you are NOT in the LDAP Binary Attribute Encoding Types screen, then objectGUID is not currently retrieved in binary format and the datastore settings must be updated. To update objectGUID in LDAP perform the following steps:

    1. Open a new private browser session and log in to the PingFederate Admin Console

    2. Click Data Stores, then Manage Datastores

    3. Select your source datastore

    4. Click LDAP Configuration

    5. Click Advanced

    6. Select the LDAP Binary Attributes tab

    7. Enter objectGUID in the BINARY ATTRIBUTE NAME field and click Add

    8. Click Done, Done, and Save

    9. Return to the LDAP Binary Attribute Encoding Types screen

    10. Confirm objectGUID is set to Base64 and click Next

      Screen capture of LDAP binary attribute encoding types

  15. On the LDAP Filter screen, enter userPrincipalName=${username} in the Filter field.

    Screen capture ldap filer

  16. Click Next.

  17. On the Attribute Contract Fulfillment screen, set the following values:

    Attribute Contract Source Value

    IDPEmail

    LDAP

    userPrincipalName

    SAML_NAME_FORMAT

    Text

    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    SAML_SUBJECT

    LDAP

    objectGUID

  18. Click Next.

  19. On the Attribute Source Summary screen, click Done.

  20. On the Attribute Sources & User Lookup screen, click Next.

  21. On the Failsafe Attribute Source screen, select Abort the SSO transaction and click Next.

    Screen capture of failsafe attribute source

  22. On the IdP Adapter Mapping summary screen, click Done.

  23. On the Authentication Source Mapping screen, click Done.

  24. On the Assertion Creation screen, click Done.

  25. On the Protocol Settings screen, click Configure Protocol Settings.

  26. On the Assertion Consumer Service URL screen, delete the binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign and click Done. PingFederate does not support this binding and as such, it may result in validation errors.

  27. On the Protocol Settings screen, click Done.

  28. On the Browser SSO screen, click Next.

  29. On the Credentials screen, click Configure Credentials.

  30. On the Credentials → Digital Signature Settings screen, select the signing certificate and click Next.

  31. On the Signature Verification Settings screen, click Manage Signature Verification Settings.

  32. On the Trust Model screen, select the appropriate value and complete the steps for configuring the trust model and signature verification according to instructions in Manage signature verification settings.

  33. On the Signature Verification Summary screen, click Done.

  34. On the Credentials screen, click Next.

  35. On the Activation & Summary screen, set Connection Status to Active, then click Save.