The following topics describe how to administer OAM Identity Federation 11g R2PS2 (11.1.2.2.0) as an IdP for integration with Microsoft Office 365 when the latter is configured as an SP leveraging the SAML 2.0 standard. After the integration implementation, you can use an account in the Identity Repository to access all web clients (including Office rich client apps connecting to SharePoint Online) and email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync or MAPI. (The Enhanced Client Protocol end point is required to be deployed).
The deployment assumes that:
Note:
For non Web-based client integration:
The OAM IdP endpoint must be accessible from the public network.
A trusted SSL certificate issued by a well known entity must be used.
The following topics provide configuration details:
To configure Microsoft Office 365 for OAM integration:
The following topics describe how to configure OAM for integration with Microsoft Office 365:
See Identity Federation WLST Commandsfor details on how to use the WLST commands.
Perform these additional configurations if using non-Web clients. These steps will not impact Web-based integration.
Use the setSPPartnerAlternateScheme WLST command to set an alternative Authentication Scheme for the Service Provider partner to handle HTTP Basic authentication. For example:
setSPPartnerAlternateScheme(<partner>, "true", httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".* Microsoft.Exchange..*", authnScheme="BasicScheme or BasicSessionlessScheme")
The values of httpHeaderName and httpHeaderExpression can be determined from the HTTP request sent from Office365 to OAM. If you want to use other values, use rich clients to connect the email account and capture the HTTP request on OAM server side.
Note:
It is recommended to use BasicSessionlessScheme because Office 365 only validates user credentials to get an assertion.
Use the updatePartnerProperty WLST command to update the configuration to send certificates in XML signatures.
updatePartnerProperty(<partner>,"sp","includecertinsignature","true","boolean")
For Basic Authentication, you may need re-authentication even after the Request is already authenticated.