Changing the federation protocol in Office 365 from WS-Federation to SAML2P

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Office 365 can use either SAML2P or WS-Federation to authenticate passive profiles or web-based clients. This task details changing the federation protocol configuration of your Office 365 domain from WS-Federation to SAML2P.

Change the federation protocol from WS-Federation to SAML2P in Office 365 using PowerShell.

  1. Sign on to Office 365 PowerShell as an administrator.
    PS C:\Users\Administrator> Connect-MsolService 
  2. Show current settings.
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List *
    
    ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
    ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
    FederationBrandName             : Ping Identity
    IssuerUri                       : Office 365 domain name
    LogOffUri                       : https://pf1.pinggcs.com:9031/idp/prp.wsf
    MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
    NextSigningCertificate          :
    PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/prp.wsf
    PreferredAuthenticationProtocol : WsFed
    SigningCertificate              : MIICX...
  3. Save the settings to a variable.
    PS C:\Users\Administrator> $saml = Get-MsolDomainFederationSettings -DomainName Office 365 domain name
    Tip: Save the old settings to a file for easy recovery.
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-wsfed.xml
  4. Update the variable to use SAML2P endpoints for the passive profile.
    PS C:\Users\Administrator> $saml.PassiveLogOnUri = "https://pf1.pinggcs.com:9031/idp/SSO.saml2"
    PS C:\Users\Administrator> $saml.LogOffUri = "https://pf1.pinggcs.com:9031/idp/startSLO.ping"
  5. Disable SSO from the domain.
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
  6. Use Set-MsolDomainAuthentication to set the $saml variable to enable federation.
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $saml.FederationBrandName -Authentication Federated -PassiveLogOnUri $saml.PassiveLogOnUri -ActiveLogOnUri $saml.ActiveLogonUri -SigningCertificate $saml.SigningCertificate -IssuerUri $saml.IssuerUri -LogOffUri $saml.LogOffUri -PreferredAuthenticationProtocol "SAMLP"
  7. Review the results.
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List *
                      
    ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
    ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
    FederationBrandName             : Ping GCS
    IssuerUri                       : Office 365 domain name
    LogOffUri                       : https://pf1.pinggcs.com:9031/idp/startSLO.ping
    MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
    NextSigningCertificate          :
    PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/SSO.saml2
    PreferredAuthenticationProtocol : Samlp
    SigningCertificate              : MIICX...
  8. Save the new settings to a different file.
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-samlp.xml

For troubleshooting, see the following to restore the federation protocol settings back to WS-Federation from SAML2P:

  1. Restore the saved settings to a variable.
    PS C:\Users\Administrator> $wsfed = Import-Clixml dfs-pf-wsfed.xml
  2. Disable SSO from the domain.
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
  3. Use Set-MsolDomainAuthentication to enable WS-Federation using the $wsfed variable.
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "WSFED"