Use Cases

Changing the federation protocol in Office 365 from WS-Federation to SAML2P

Office 365 can use either SAML2P or WS-Federation to authenticate passive profiles or web-based clients. This task details changing the federation protocol configuration of your Office 365 domain from WS-Federation to SAML2P.

Before you begin

About this task

Change the federation protocol from WS-Federation to SAML2P in Office 365 using PowerShell.

Steps

  1. Sign on to Office 365 PowerShell as an administrator.

    PS C:\Users\Administrator> Connect-MsolService
  2. Show current settings.

    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName  Office 365 domain name  | Format-List *
    
    ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
    ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
    FederationBrandName             : Ping Identity
    IssuerUri                       :  Office 365 domain name
    LogOffUri                       : https://pf1.pinggcs.com:9031/idp/prp.wsf
    MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
    NextSigningCertificate          :
    PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/prp.wsf
    PreferredAuthenticationProtocol : WsFed
    SigningCertificate              : MIICX...
  3. Save the settings to a variable.

    PS C:\Users\Administrator> $saml = Get-MsolDomainFederationSettings -DomainName  Office 365 domain name

    Save the old settings to a file for easy recovery.

    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName  Office 365 domain name  | Export-Clixml dfs-pf-wsfed.xml
  4. Update the variable to use SAML2P endpoints for the passive profile.

    PS C:\Users\Administrator> $saml.PassiveLogOnUri = "https://pf1.pinggcs.com:9031/idp/SSO.saml2"
    PS C:\Users\Administrator> $saml.LogOffUri = "https://pf1.pinggcs.com:9031/idp/startSLO.ping"
  5. Disable SSO from the domain.

    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName  Office 365 domain name  -Authentication Managed
  6. Use Set-MsolDomainAuthentication to set the $saml variable to enable federation.

    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName  Office 365 domain name  -FederationBrandName $saml.FederationBrandName -Authentication Federated -PassiveLogOnUri $saml.PassiveLogOnUri -ActiveLogOnUri $saml.ActiveLogonUri -SigningCertificate $saml.SigningCertificate -IssuerUri $saml.IssuerUri -LogOffUri $saml.LogOffUri -PreferredAuthenticationProtocol "SAMLP"
  7. Review the results.

    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -domainName  Office 365 domain name  | Format-List *
    
    ExtensionData                   : System.Runtime.Serialization.ExtensionDataObject
    ActiveLogOnUri                  : https://pf1.pinggcs.com:9031/idp/sts.wst
    FederationBrandName             : Ping GCS
    IssuerUri                       :  Office 365 domain name
    LogOffUri                       : https://pf1.pinggcs.com:9031/idp/startSLO.ping
    MetadataExchangeUri             : https://pf1.pinggcs.com:9031/pf/sts_mex.ping?PartnerSpId=urn:federation:MicrosoftOnline
    NextSigningCertificate          :
    PassiveLogOnUri                 : https://pf1.pinggcs.com:9031/idp/SSO.saml2
    PreferredAuthenticationProtocol : Samlp
    SigningCertificate              : MIICX...
  8. Save the new settings to a different file.

    PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName  Office 365 domain name  | Export-Clixml dfs-pf-samlp.xml

Troubleshooting

For troubleshooting, see the following to restore the federation protocol settings back to WS-Federation from SAML2P:

  1. Restore the saved settings to a variable.

    PS C:\Users\Administrator> $wsfed = Import-Clixml dfs-pf-wsfed.xml
  2. Disable SSO from the domain.

    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName  Office 365 domain name  -Authentication Managed
  3. Use Set-MsolDomainAuthentication to enable WS-Federation using the $wsfed variable.

    PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName  Office 365 domain name  -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "WSFED"