Page created: 26 May 2021 |
Page updated: 15 Dec 2022
Learn how to enable Microsoft 365 sign on from a PingFederate URL (IdP-initiated sign on) and direct Microsoft 365 sign on using PingFederate (SP-initiated sign on).
- Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
- Make sure Microsoft 365 has a valid, non-default domain and is populated with at least one AD synced user in that domain to test access.
- You must have administrative access to PingFederate and Microsoft 365.
- You must have access to run the Microsoft Azure Active Directory Module for Windows PowerShell.
Create a PingFederate SP
connection for Microsoft 365:
- Download the Microsoft 365 SAML metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.
- Sign on to the PingFederate administrative console.
Create an SP connection for Microsoft 365 in Ping Federate:
- Configure using Browser SSO profile SAML 2.0.
- Import the metadata from the downloaded Microsoft 365 metadata file.
- Enable the following SAML Profiles:
- IdP-Initiated SSO
- SP-Initiated SSO
- SP Initiated SLO
- In Assertion Creation: Attribute Contract, extend the contract to add the attributes guid and SAML_NAME_FORMAT.
- In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment map SAML_SUBJECT, guid (guid should map to your attribute holding the Microsoft 365 user objectID and be in Base64 binary format), and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
- In Protocol Settings: Allowable SAML Bindings, enable POST and REDIRECT.
- In Protocol Settings: Signature Policy, select Always Sign Assertion.
- In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
- Save the configuration.
- Export the signing certificate.
Export and then open the metadata file and copy the values for:
- the entityID
- the Location entry for SSO (https://<your value>/idp/SSO.saml2)
- the Location entry for SLO (https://<your value>/idp/SLO.saml2)
Add the PingFederate
connection to Microsoft 365:
- Open an elevated Windows PowerShell Command Prompt window on any internet connected computer.
$cred = Get-Credential.
Enter the username and password of your Microsoft 365 administrator
account in the pop-up.
Connect with MsolService.
Connect-MsolService -Credential $cred
List your domains.
Select the domain for which you would like to enable SSO.
$dom = "<Your O365 domain>"
Set the uri parameter to the PingFederate
$uri ="<Your entityID>"
Set the url parameter to the PingFederate
Location for SSO value.
$url="<Your Passive Log On Uri>"
Set the logouturl parameter to the PingFederate
Location for SLO value.
$logouturl="<Your Log Off Uri>"
Open the downloaded signing certificate in Notepad, copy the encoded
contents, and paste them into the command below to set the certificate
$cert="<Your certificate contents>"
Run the following command to setup SAML SSO for your domain.
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
Run the following command to see the completed SSO settings.
Get-MSolDomainFederationSettings -DomainName "<Your O365 domain>" | Format-List *
Test the PingFederate
IdP-initiated SSO integration:
- Go to the PingFederate SSO application endpoint for the Microsoft 365 SP connection.
Complete PingFederate authentication.
You're redirected to your Microsoft 365 domain.
Test the PingFederate
SP-initiated SSO integration:
- Go to https://portal.office.com.
- Enter your email address.
After you're redirected to PingFederate, enter your PingFederate username
You're redirected back to Microsoft 365.