40.8 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider

The following topics describe how to administer OAM Identity Federation 11g R2PS2 (11.1.2.2.0) as an IdP for integration with Microsoft Office 365 when the latter is configured as an SP leveraging the SAML 2.0 standard. After the integration implementation, you can use an account in the Identity Repository to access all web clients (including Office rich client apps connecting to SharePoint Online) and email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync or MAPI. (The Enhanced Client Protocol end point is required to be deployed).

The deployment assumes that:

  1. OAM 11gR2PS2 has been installed and configured using SSL.
  2. An account has been created using the Oracle Access Management Console that defines the Administrator role for Office 365.
  3. Windows PowerShell 2.0 and Microsoft Online Services Module have been installed.
  4. An available domain name can be used as the federated domain in Office 365. Generally, this domain needs to be purchased.

Note:

For non Web-based client integration:

  • The OAM IdP endpoint must be accessible from the public network.

  • A trusted SSL certificate issued by a well known entity must be used.

The following topics provide configuration details:

40.8.1 Configuring Microsoft Office 365 for OAM Integration

To configure Microsoft Office 365 for OAM integration:

  1. Add the domain name (for example, test.com) and verify it using the Office 365 Web administration center.
  2. Define the authentication scheme for the domain as Federated by running the Set-MsolDomainAuthentication PowerShell command.
    $dom="<domain name>"
    $url="https://server_host:port/oamfed/idp/samlv20"
    $uri="<entityID>"
    $ecpUrl=https:// server_host:port/oamfed/idp/soap
    $logouturl="https://server_host:port/oamfed/idp/samlv20"
    $cert="MIIB/DCCAWWgAwIBAgI......."
    Set-MsolDomainAuthentication -FederationBrandName $dom 
     -Authentication Federated -ActiveLogUri $ecpUrl -PassiveLogOnUri $url 
     -SigningCertificate $cert -IssuerUri $uri
    -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
    

    Note:

    The values for some of these parameters can be found in the OAM Identity Provider metadata.

  3. Create a user in the Federated domain by running the New-MsolUser PowerShell command.
    New-MsolUser -DisplayName <name> –UserPrincipalName 
     <name@domain_name> -UsageLocation <location> 
     -BlockCredential $false -ImmutableId <immutableid>
    

    Values for UserPrincipalName and ImmutableId are required by Office 365 for Federation. In the SAML assertion, the value of ImmutableId will be stored in the SAML Subject using the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameID format. The UserPrincipalName will be stored in the SAML Attribute using the attribute name IDPEmail. In the OAM User Identity Store, the user entry must use the same attributes to store the values of UserPrincipalName and ImmutableId. Use the following:

    • mail=<name@domain_name (UserPrincipalName)>

    • uid=<immutableid>

    Note:

    If Office 365 has been before this integration, you can use an existing user for testing. You must know the values of the UserPrincipalName and ImmutableId attributes for the existing user.

  4. Assign a license to the user to make the applications provided by Office 365 available to the user.

40.8.2 Configuring OAM for Microsoft Office 365 Integration

The following topics describe how to configure OAM for integration with Microsoft Office 365:

See Identity Federation WLST Commandsfor details on how to use the WLST commands.

40.8.2.1 Configuring for Web and Non-Web Clients

To configure for Web and non-Web clients:

  1. Log in to the Oracle Access Management Console.
  2. Navigate to Available Services and enable the Identity Federation service.
  3. Navigate to Identity Provider Administration.
  4. Create a Service Provider Attribute Profile mapping.

    Table 40-7 Message Attribute Mapping

    Message Attribute Name Value Always Send

    IDPEmail

    $user.attr.mail

    true

  5. Create a Service Provider Partner for Office 365 using the attributes and values.

    See Table 40-8 for details.

    Table 40-8 Office 365 Service Provider Attribute Values

    Provider Attribute Value

    Name

    Office365

    Protocol

    SAML 2.0

    Service Details

    Load from provider metadata

    Metadata File

    Can be downloaded from:

    https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

    For customers in China using the China-specific instance of Office 365 download from:

    https://nexus.partner.microsoftonline-p.cn/federationmetadata/saml20/federationmetadata.xml

    NameID Format

    persistent

    NameID Value

    User ID Store Attribute + uid

    Attribute Mapping Profile

    The profile created in step 2

    User Identity Store

    Identity Store used

    User Search Base DN

    The base DN for User search

    SSO Response Binding

    HTTP POST

  6. Optionally, set the default Authentication Scheme for the service provider partner using the setSPPartnerDefaultScheme WLST command.

    By default, OAM uses LDAPScheme for user authentication. To use another scheme, run the following command:

    setSPPartnerDefaultScheme(<partner>, <authnScheme>)
    

    See Additional Configurations for Non-Web Clients if you use non-Web clients.

40.8.2.2 Additional Configurations for Non-Web Clients

Perform these additional configurations if using non-Web clients. These steps will not impact Web-based integration.

  1. Use the setSPPartnerAlternateScheme WLST command to set an alternative Authentication Scheme for the Service Provider partner to handle HTTP Basic authentication. For example:

    setSPPartnerAlternateScheme(<partner>, "true", 
      httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".* 
      Microsoft.Exchange..*", authnScheme="BasicScheme or BasicSessionlessScheme")
    

    The values of httpHeaderName and httpHeaderExpression can be determined from the HTTP request sent from Office365 to OAM. If you want to use other values, use rich clients to connect the email account and capture the HTTP request on OAM server side.

    Note:

    It is recommended to use BasicSessionlessScheme because Office 365 only validates user credentials to get an assertion.

  2. Use the updatePartnerProperty WLST command to update the configuration to send certificates in XML signatures.

    updatePartnerProperty(<partner>,"sp","includecertinsignature","true","boolean")

    For Basic Authentication, you may need re-authentication even after the Request is already authenticated.

40.8.3 Verifying Federation Single Sign-On

The following topics explain how to verify Federation SSO:

40.8.3.1 Verifying SP-Initiated SSO

To verify SP-initiated SSO:

  1. Open one of the following URLs.
    • http://portal.microsoftonline.com: from login page, input "xxx@test.com" in the user name field, then click the password field; at this time, you should be automatically redirected to the OAM login page.

    • http://www.outlook.com/test.com: you should be automatically redirected to the OAM login page.

  2. Enter a user name and password in the displayed OAM login page and click Login.

    If SSO is successful, you are then logged into the Office 365 Web portal.

40.8.3.2 Verifying IDP-Initiated SSO

To verify IDP-initiated SSO:

  1. Open http://host:port/oamfed/idp/initiatesso?providerid=urn:federation:MicrosoftOnline&returnURL=http://portal.microsoftonline.com in a browser.
  2. Enter a user name and password in the displayed OAM login page and click Login.

    If SSO is successful, you will be logged into the Office 365 Web portal.

40.8.3.3 Verifying Federation with Non Web-based Clients

To verify federation with non Web-based clients:

  1. Add an Email account for an email client.
    • For Desktop Email client like Outlook client, please refer to http://help.outlook.com/en-ca/140/cc875899.aspx

    • For Native Email app in Android device, please refer to http://office.microsoft.com/client/15/help/preview?AssetId=HA102823196&lcid=1033&NS=O365ENTADMIN&Version=15&CTT=5&origin=HA103787372

    • For IOS device, please refer to http://office.microsoft.com/client/15/help/preview?AssetId=HA102818554&lcid=1033&NS=O365ENTADMIN&Version=15&CTT=5&origin=HA102828259

    Note:

    When adding an email account using the Outlook client, after you input Your Name and Email Address in the User Information area, it auto-fills the User Name value in the Logon Information area with the value of Your Name. It is recommended that you change the value of Your Name to reflect the email address.

  2. Check that you can send and receive email successfully.