Change the federation protocol from WS-Federation to SAML2P in Office 365 using PowerShell.

  1. Sign on to Office 365 PowerShell as an administrator. 
    PS C:\Users\Administrator> Connect-MsolService
  2. Show current settings. 
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List *

ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
FederationBrandName             : Ping Identity
IssuerUri                       : Office 365 domain name
LogOffUri                       : https://pf1.pinggcs.com:9031/idp/prp.wsf
MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
NextSigningCertificate          :
PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/prp.wsf
PreferredAuthenticationProtocol : WsFed
SigningCertificate              : MIICX...
  3. Save the settings to a variable. 
    PS C:\Users\Administrator> $saml = Get-MsolDomainFederationSettings -DomainName Office 365 domain name
    Tip: Save the old settings to a file for easy recovery. 
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-wsfed.xml
  4. Update the variable to use SAML2P endpoints for the passive profile. 
    PS C:\Users\Administrator> $saml.PassiveLogOnUri = "https://pf1.pinggcs.com:9031/idp/SSO.saml2"
PS C:\Users\Administrator> $saml.LogOffUri = "https://pf1.pinggcs.com:9031/idp/startSLO.ping"
  5. Disable SSO from the domain. 
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
  6. Use Set-MsolDomainAuthentication to set the $saml variable to enable federation. 
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $saml.FederationBrandName -Authentication Federated -PassiveLogOnUri $saml.PassiveLogOnUri -ActiveLogOnUri $saml.ActiveLogonUri -SigningCertificate $saml.SigningCertificate -IssuerUri $saml.IssuerUri -LogOffUri $saml.LogOffUri -PreferredAuthenticationProtocol "SAMLP"
  7. Review the results. 
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List *
                  
ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
FederationBrandName             : Ping GCS
IssuerUri                       : Office 365 domain name
LogOffUri                       : https://pf1.pinggcs.com:9031/idp/startSLO.ping
MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
NextSigningCertificate          :
PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/SSO.saml2
PreferredAuthenticationProtocol : Samlp
SigningCertificate              : MIICX...
  8. Save the new settings to a different file. 
    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-samlp.xml

For troubleshooting, see the following to restore the federation protocol settings back to WS-Federation from SAML2P:

  1. Restore the saved settings to a variable. 
    PS C:\Users\Administrator> $wsfed = Import-Clixml dfs-pf-wsfed.xml
  2. Disable SSO from the domain. 
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
  3. Use Set-MsolDomainAuthentication to enable WS-Federation using the $wsfed variable. 
    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "WSFED"