Changing the federation protocol in Office 365 from WS-Federation to SAML2P
Office 365 can use either SAML2P or WS-Federation to authenticate passive profiles or web-based clients. This task details changing the federation protocol configuration of your Office 365 domain from WS-Federation to SAML2P.
Before you begin
About this task
Change the federation protocol from WS-Federation to SAML2P in Office 365 using PowerShell.
Steps
-
Sign on to Office 365 PowerShell as an administrator.
PS C:\Users\Administrator> Connect-MsolService
-
Show current settings.
PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List * ExtensionData : System.Runtime.Serialization.ExtensionDataObject ActiveLogOnUri : https://pf1.pinggcs.com:9031/idp/sts.wst FederationBrandName : Ping Identity IssuerUri : Office 365 domain name LogOffUri : https://pf1.pinggcs.com:9031/idp/prp.wsf MetadataExchangeUri : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline NextSigningCertificate : PassiveLogOnUri : https://pf1.pinggcs.com:9031/idp/prp.wsf PreferredAuthenticationProtocol : WsFed SigningCertificate : MIICX...
-
Save the settings to a variable.
PS C:\Users\Administrator> $saml = Get-MsolDomainFederationSettings -DomainName Office 365 domain name
Save the old settings to a file for easy recovery.
PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-wsfed.xml
-
Update the variable to use SAML2P endpoints for the passive profile.
PS C:\Users\Administrator> $saml.PassiveLogOnUri = "https://pf1.pinggcs.com:9031/idp/SSO.saml2" PS C:\Users\Administrator> $saml.LogOffUri = "https://pf1.pinggcs.com:9031/idp/startSLO.ping"
-
Disable SSO from the domain.
PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
-
Use
Set-MsolDomainAuthentication
to set the$saml
variable to enable federation.PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $saml.FederationBrandName -Authentication Federated -PassiveLogOnUri $saml.PassiveLogOnUri -ActiveLogOnUri $saml.ActiveLogonUri -SigningCertificate $saml.SigningCertificate -IssuerUri $saml.IssuerUri -LogOffUri $saml.LogOffUri -PreferredAuthenticationProtocol "SAMLP"
-
Review the results.
PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName Office 365 domain name | Format-List * ExtensionData : System.Runtime.Serialization.ExtensionDataObject ActiveLogOnUri : https://pf1.pinggcs.com:9031/idp/sts.wst FederationBrandName : Ping GCS IssuerUri : Office 365 domain name LogOffUri : https://pf1.pinggcs.com:9031/idp/startSLO.ping MetadataExchangeUri : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline NextSigningCertificate : PassiveLogOnUri : https://pf1.pinggcs.com:9031/idp/SSO.saml2 PreferredAuthenticationProtocol : Samlp SigningCertificate : MIICX...
-
Save the new settings to a different file.
PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName Office 365 domain name | Export-Clixml dfs-pf-samlp.xml
Troubleshooting
For troubleshooting, see the following to restore the federation protocol settings back to WS-Federation from SAML2P:
-
Restore the saved settings to a variable.
PS C:\Users\Administrator> $wsfed = Import-Clixml dfs-pf-wsfed.xml
-
Disable SSO from the domain.
PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
-
Use
Set-MsolDomainAuthentication
to enable WS-Federation using the$wsfed
variable.PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "WSFED"