• Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
  • Make sure Microsoft 365 has a valid, non-default domain and is populated with at least one AD synced user in that domain to test access.
  • You must have administrative access to PingFederate and Microsoft 365.
  • You must have access to run the Microsoft Azure Active Directory Module for Windows PowerShell.
  1. Create a PingFederate SP connection for Microsoft 365:
    1. Download the Microsoft 365 SAML metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.
    2. Sign on to the PingFederate administrative console.
    3. Create an SP connection for Microsoft 365 in Ping Federate:
      1. Configure using Browser SSO profile SAML 2.0.
      2. Import the metadata from the downloaded Microsoft 365 metadata file.
      3. Enable the following SAML Profiles:
        • IdP-Initiated SSO
        • SP-Initiated SSO
        • SP Initiated SLO
      4. In Assertion Creation: Attribute Contract, extend the contract to add the attributes guid and SAML_NAME_FORMAT.
      5. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment map SAML_SUBJECT, guid (guid should map to your attribute holding the Microsoft 365 user objectID and be in Base64 binary format), and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
      6. In Protocol Settings: Allowable SAML Bindings, enable POST and REDIRECT.
      7. In Protocol Settings: Signature Policy, select Always Sign Assertion.
      8. In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
    4. Save the configuration.
    5. Export the signing certificate.
    6. Export and then open the metadata file and copy the values for:
      • the entityID
      • the Location entry for SSO (https://<your value>/idp/SSO.saml2)
      • the Location entry for SLO (https://<your value>/idp/SLO.saml2)
  2. Add the PingFederate connection to Microsoft 365:
    1. Open an elevated Windows PowerShell Command Prompt window on any internet connected computer.
    2. Enter $cred = Get-Credential.
    3. Enter the username and password of your Microsoft 365 administrator account in the pop-up.
      Screen capture of Windows Powershell credential request prompting for username and password.
    4. Connect with MsolService.
      Connect-MsolService -Credential $cred
    5. List your domains.
      Get-MsolDomain
    6. Select the domain for which you would like to enable SSO.
      $dom = "<Your O365 domain>"
    7. Set the uri parameter to the PingFederate entityID value.
      $uri ="<Your entityID>"
    8. Set the url parameter to the PingFederate Location for SSO value.
      $url="<Your Passive Log On Uri>"
    9. Set the logouturl parameter to the PingFederate Location for SLO value.
      $logouturl="<Your Log Off Uri>"
    10. Open the downloaded signing certificate in Notepad, copy the encoded contents, and paste them into the command below to set the certificate parameter.
      $cert="<Your certificate contents>"
    11. Run the following command to setup SAML SSO for your domain.
      Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
    12. Run the following command to see the completed SSO settings.
      Get-MSolDomainFederationSettings -DomainName "<Your O365 domain>" | Format-List *
  3. Test the PingFederate IdP-initiated SSO integration:
    1. Go to the PingFederate SSO application endpoint for the Microsoft 365 SP connection.
    2. Complete PingFederate authentication.
      You're redirected to your Microsoft 365 domain.
  4. Test the PingFederate SP-initiated SSO integration:
    1. Go to https://portal.office.com.
    2. Enter your email address.
    3. After you're redirected to PingFederate, enter your PingFederate username and password.
      You're redirected back to Microsoft 365.