Online Help

SafeNet Trusted Access for Office 365

Overview

Configuring SafeNet Trusted Access for Office 365 is a three-step process:

1.Office 365 setup

2.SafeNet Trusted Access setup

3.Verify authentication

Office 365 Setup

As prerequisites,

Sync your AD with Azure AD and STA or alternatively sync your Azure AD into STA. User syncing may overwrite user accounts in Azure.

Your DNS domain (for example, O365Domain.com) must be registered with Office 365 and federate back to STA.

Note:  By default, Office 365 offers a domain, yourname.onmicrosoft.com and it cannot be used for federation.

Download the Identity Provider Signing Certificate from the SafeNet Trusted Access console by clicking on Download x.509 Certificate. You will need this certificate in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Office 365:

1.Log on to the domain-joined computer, where you have installed the following:

Microsoft Online Services Sign-in Assistant

(Refer to http://www.microsoft.com/en-us/download/details.aspx?id=39267)

Windows Azure Active Directory Module for Windows PowerShell

Open PowerShell (above version 2.0) and run Install-Module MSOnline as described on https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell

Azure AD Connect

(Refer to https://www.microsoft.com/en-us/download/details.aspx?id=47594)

2.Open Windows Azure Active Directory Module for Windows PowerShell and then run the following command:

Connect-MsolService

3.On the Azure Active Directory PowerShell login window, enter your Windows Azure AD administrator login credentials of your DNS domain (for example, O365Domain.com) for which SSO is being configured.

4.Click Sign in.

5.Run the following command to ensure that the authentication type for your Office 365 domain (for example, O365Domain.com) is set as Managed:

Get-MsolDomain –DomainName <Domain Name>

If the authentication type is set as Federated, run the following command to change the authentication type to Managed:

Set-MsolDomainAuthentication –DomainName O365Domain.com -Authentication Managed

Note:  Before running this command to change the domain authentication type from Federated to Managed, it is recommended to take a backup of your existing configuration or contact your Administrator.

6.Gather the federation parameter information of the parameters given in the following table:

Parameter Description and Value
DomainName The fully qualified domain name (FQDN) (for example, O365Domain.com) that is to be updated.
FederationBrandName A federation brand name. For example, OrgName.
PassiveLogOnUri The SingleSignOnService URL provided on the SafeNet Trusted Access console.
IssuerUri Issuer/Entity ID provided on the SafeNet Trusted Access console.
LogOffUri The SingleSignOnService URL provided on the SafeNet Trusted Access console.
SigningCertificate The SafeNet Trusted Access token signing certificate that you downloaded from the SafeNet Trusted Access console. Save this certificate at a path (for example, C:\Path\Idp.crt) that is accessible from PowerShell.
 

7.Run the following commands to set the federation parameters' values that you gathered in the previous step:

$dom = “<DomainName>”

$fedBrandName = "<FederationBrandName>"

$url = “<PassiveLogOnUri>”

$uri = “<IssuerUri>”

$logouturl = “<LogOffUri>”

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 “<SigningCertificate Location>”

$certData = [system.convert]::tobase64string($cert.rawdata)

8.Run the following command to verify the values of the federation parameters that you set in the previous step (Step 7):

get-variable dom,fedBrandName,url,uri,logoutUrl,cert | fl Name,Value

9.Run the following command to convert the authentication type of the Office 365 domain from Managed to Federated using the Federation parameters that you set in step 7:

Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -FederationBrandName $fedBrandName -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData

WARNING!  If you miss this step, SSO may not work.

10.Run the following command to ensure that the authentication type for your Office 365 domain (for example, O365Domain.com) is set to Federated:

Get-MsolDomain –DomainName <Domain Name>

11.Run the following command to view and verify the configuration setting:

Get-MsolDomainFederationSettings –Domain <Domain Name>

Note:  For Managed domains, ActiveLogOnUri is not required.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Office 365, the second step is to activate the Office 365 application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Office 365 application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Office 365) and proceed to the next step.

2.Under STA Setup, in the NAME ID field, ensure that User Object GUID is selected as required by Office 365.

3.Click Save Configuration to save the details and activate the Office 365 application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Office 365 login URL, such as https://login.microsoftonline.com, enter your email address,and click Next.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Office 365 portal after authentication.

Using STA User Portal

Navigate to the https://userportal.safenetid.com/<organization-id> URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the Office 365 application icon, you should be redirected to the Office 365 portal after authentication.

Support for Modern Authentication in Office 365

Modern authentication in Office 365 is now supported with STA. Modern authentication enables authentication features like, multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.

Office Online Apps

Navigate to the Office 365 login URL, https://login.microsoftonline.com, enter your email address and click Next. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Office 365 portal after authentication. Click on any of the Office apps (for example, Skype) and you should be successfully signed in to the Office app.

Office Native Desktop Apps

Modern authentication of Office native desktop apps is now supported with STA. Download the Microsoft Office Suite package (for example, 365ProPlusRetail) and install the package on your local machine. Open any offline Office app (for example, Skype), enter your email address, and click Next. On the login window, enter your STA credentials, and you should be successfully signed in to the Office app.

Office Native Mobile Apps

Modern authentication in Office native mobile apps (iOS and Android mobile devices) is now supported with STA.

Install any MS Office mobile app (for example, Skype for Business for Android). On the login window, enter the email address, and click Sign In. You will be redirected to your SafeNet Trusted Access sign-in page, enter your primary directory login information, approve the two-factor authentication, and you should be successfully signed in to the Office 365 application.

Note:  To authenticate Skype for Business, as an administrator, you need to add SIP record in the User attribute (Proxy Address). For example, sip:forger@example.com. Perform the following steps to add SIP record in the user attribute:

1. Save the below script with the .ps1 extension (for example, SIP.ps1) on the domain controller machine:

$searchBase = 'OU=test,DC=casserver,DC=com'
$users = Get-ADUser -SearchBase $searchBase -SearchScope Subtree -Filter { ObjectClass -eq "user" } -Properties ProxyAddresses,mail


ForEach ($user in $users)
{ $samAccount = $user.SamAccountName
$Firstname = $user.givenName
$LastName = $user.LastName
$newSip = "SIP:$Firstname$LastName@casserver.com"
Write-Host "Adding $newSip to" $user.SamAccountName
Set-ADUser -Identity $user.DistinguishedName -Add @{proxyAddresses = $newSip}

}

2. Perform the following steps to update the script in the file:

a. In the $searchBase variable, replace the given value with the distinguished name of domain / organization unit for which you would like to update the SIP record of user(s).
b. In the $newSip variable, replace the given domain name with your domain name.

3. Run the updated script to update the SIP records of the domain users.

 

© 2019 SafeNet Trusted Access. Various trademarks held by their respective owners.