Integrating Office 365 with OAM and IdP

This is a continuation of the article where we configured OAM (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

Be sure to have read the article about pre-requisites.

The integration covers:

• Browser Federation SSO integration: This is the flow the user exercises when accessing the www.office365.com resources via a browser

• The www.office365.com prompts the user to enter email address

• The server detects that Federation SSO should be used for that domain and starts a Federation SSO flow the IdP

• IdP challenges the user, create a SAML Assertion and redirect the user to www.office365.com

• www.office365.com grants access to the user

• ActiveSync mail integration: In this flow, the user uses a mail application configured for Office 365

• When the mail application is started, it sends the user’s credentials (email address and IdP password) to Office 365. www.office365.com makes a direct connection over SSL to the IdP and uses the SAML 2.0 ECP protocol to send a SAML AuthnRequest and the user’s credentials via HTTP Basic Authentication

• The IdP validates those credentials and return a SAML Assertion via the ECP protocol

• Office 365 grants access to the mail application

It is important to note that integration with Office 365 for non SAML 2.0 components will not work, such as:

• Lync clients

• OWA Mobile Apps

This article is based on:

• The testing performed from Oracle team

• The Microsoft article regarding SAML 2.0 support for Office 365 and more specifically the technical document listing steps required to configure Office 365 (user management and Federation trust establishment)

• Microsoft Blog

• Technical document describing how to configure Office 365

Testing Environment

For this test integration, use the following approach:

• User alice at OAM:

  • Username (uid attribute): alice.appleton

  • Email address (mail attribute): alice.appleton@acme.com

  • First name (givenname attribute): Alice

  • Last name (sn attribute): Appleton

• User alice at Office 365 (see the Microsoft technical document on more information on how to create a user in Azure AD):

  • UserPrincipalName: alice.appleton@acme.com

  • ImmutableId: alice.appleton

  • DisplayName: Alice Appleton

  • FirstName: Alice

  • LastName: Appleton

  • UsageLocation: US

• Federation agreement:

  • SAML 2.0 NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • LDAP attribute used to populate SAML 2.0 NameID value: uid (because the NameID must match the ImmutableId)

• SAML Attribute contained in the SAML Assertion

  • Name: IDPEmail

  • LDAP Attribute used to populate this attribute value: mail (because the attribute value must match the UserPrincipalName)

• Office 365 specifics:

  • The domain name will be acme.com

  • The protocol used will be SAMLP

  • ActiveSync mail application will be supported OAM Configuration

Setting up Office 365 as an SP in IdP consists of:

• Creating an SP Attribute Profile in order to send the IDPEmail attribute containing the mail attribute

• Creating an SP partner for Office 365 and bind it to the new SP Attribute Profile

• Updating the Office 365 SP Partner configuration for

• SHA-1 hashing algorithm in signatures

• Inclusion of OAM’s signing certificate in outgoing SAML messages

• HTTP Basic Auth for ActiveSync mail integration

Office 365 Configuration

Please refer to the following Microsoft information when reading this section:

• Microsoft Blog

• Technical document describing how to configure Office 365

Windows Powershell

Ensure that the Windows Powershell tools are installed on the computer from which you will connect to Office 365 for administration purposes.

Provisioning IdP as a Partner in Office 365

Top create OAM as an IdP partner for the acme.com domain in Office 365, perform the following steps:

• Connect to Office 365 as the administrator for acme.com

• Connect-MsolService

• Set the following environment variables (the data used is the one retrieved from the pre-requisites section; note that the string for $idpSigningCert is on the same line as the $idpSigningCert =, and that it is a single line):

• $domainName = “acme.com”

• $BrandName - “ACME IdP”

• $browserSSOLoginURL = “https://acme.com/oamfed/idp/samlv20

• $ecpSSOURL = “https://acme.com/oamfed/idp/soap”

• $logoutURL = “https://acme.com/oamfed/idp/samlv20

• $issuerProviderID = “https://acme.com/oam/fed”

• $idpSigningCert = “MIIB+DCCAWGgAwIBAgIBCjANB……oInVUbGTBDMfqmW5iZ/wjpzItg==” $ssoProtocol = “SAMLP”

• Execute the following command using the above variables: Set-MsolDomainAuthentication -DomainName $domainName-FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri$browserSSOLoginURL -ActiveLogOnUri $ecpSSOURL -SigningCertificate$idpSigningCert -IssuerUri $issuerProviderID -LogOffUri $logoutURL-PreferredAuthenticationProtocol $ssoProtocol

OAM Configuration

SP Attribute Profile

To create a new SP Attribute Profile that will be set up to send the SAML IDPEmail Attribute containing the user’s UPN value, perform the following operations:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin port/oamconsole.

2. Navigate to Identity Federation, Identity Provider Administration.

3. Click on the Service Provider Attribute Profiles tab.

4. Click on the Create SP Attribute Profile button.

5. Enter a name for the new profile (for example Office365-attr-profile).

6. In the Attribute Mapping section, click Add.

7. Enter the following information:

   1. Message Attribute Name: IDPEmail

   2. Value: enter the LDAP user attribute containing the user’s UPN in the directory used by OAM (in this example: user, attr, mail)

   3. Always send: checked

8. Click OK.



Description of the illustration Attribute_Mapping.jpg

The Attribute Profile will be shown:

9. Click Save.

Description of the illustration Attribute_Profile.jpg

Office 365 SP Partner

To add Office 365 as an SP partner in OAM, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin port/oamconsole

2. Navigate to Identity Federation, Identity Provider Administration

3. Click on the Create Service Provider Partner button

4. In the Create screen:

   1. Enter a name for the partner (for example Office365)

   2. Select SAML 2.0 as the Protocol

   3. Click Load Metadata and upload the SAML 2.0 Metadata =le for the Office 365

   4. Select Persistent as the NameID format

   5. Enter the LDAP user attribute that contains the user’s ImmutableId value (in this example, uid)

   6. Select the SP Attribute Profile that was previously created (in this example Office365-attr-profile)

5. Click Save

Description of the illustration Service_Provider_Partner.jpg

SHA-1 Hash Algorithm for Digital Signature

To configure OAM to use SHA-1 for signatures for the Office 365 SP partner, perform the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the configureFedDigitalSignature() command:

configureFedDigitalSignature(partner="PARTNER_NAME", partnerType="sp",algorithm="SHA-256/SHA-1")

5. Replace PARTNER_NAME with the name of the added partner

   1. An example is: configureFedDigitalSignature(partner="Office365", partnerType="sp”, algorithm="SHA-1")

6. Exit the WLST environment: exit()

OAM’s Signing Certificate in XML Digital Signature

To configure OAM so that the Federation server includes its X.509 signing certificate in all outgoing signed SAML messages for the Office 365 SP partner, perform the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the updatePartnerProperty() command: updatePartnerProperty("PARTNER_NAME", "sp", "includecertinsignature", "true""boolean")

5. Replace PARTNER_NAME with the name of the added partner An example is:

updatePartnerProperty("Office365", "sp", "includecertinsignature", "true", "boolean")

6. Exit the WLST environment: exit()

HTTP Basic Auth for ActiveSync Mail Integration

In the SAML 2.0 ECP flow, the Office 365 server makes a direct connection to IdP over SOAP over HTTPS and posts a SAML AuthnRequest message. Alongside the SOAP request, the HTTP request contains the user’s credentials as part of the HTTP Basic Authentication headers.

IdP must be configured to use an OAM HTTP Basic Authentication scheme to validate those credentials. Also this operation must not result in an OAM session to be created, since this is rather a credential validation operation initiated by the Office 365 server, and not the user involved with OAM. For those reasons, IdP must be configured to use a scheme based on:

• BASIC mode

• With the challenge parameters containing the CookieLessMode=true entry

The BasicSessionlessScheme can be used for this flow.

Also, OAM must be configured to send urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as a SAML 2.0 Authentication Method when the client is authenticated via the BasicSessionlessScheme.

To configure OAM to use HTTP Basic Authentication in the SAML 2.0 ECP flow, perform the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the setSPPartnerAlternateScheme() command to instruct OAM to use BasicSessionlessScheme : setSPPartnerAlternateScheme(PARTNER_NAME, "true", httpHeaderName="X-MSClient-Application", httpHeaderExpression=".\*Microsoft.Exchange..\*" authnScheme="BasicSessionlessScheme")

5. Replace PARTNER_NAME with the name of the added partner

An example is: setSPPartnerAlternateScheme("Office365", "true", httpHeaderName="X-MS-Client-Application", httpHeaderExpression=".\*Microsoft.Exchange..\*" authnScheme="BasicSessionlessScheme")

6. Retrieve the OAM Fed partner profile used by the Office 365 SP partner in OAM:

getFedPartnerProfile(PARTNER_NAME "sp")

7. Replace PARTNER_NAME with the name of the added partner

An example is: getFedPartnerProfile("Office365", "sp") Write down the returned value

8. Execute the addSPPartnerProfileAuthnMethod() command to instruct OAM to send “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport” as the SAML 2.0 Authentication Method when the client is authenticated via BasicSessionlessScheme: addSPPartnerProfileAuthnMethod(PARTNER_PROFILE,"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","BasicSessionlessScheme")

9. Replace PARTNER_PROFILE with the value retrieved in the earlier step

An example is: addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "BasicSessionlessScheme")

10. Exit the WLST environment: exit()

Testing

Browser SSO

To test the Browser SSO flows:

1. Open a browser

2. Go to http://office365.com

3. Click Sign In

4. Enter the user’s email address



Description of the illustration Signin_Page.jpg

5. Click Next

Office 365 attempts to locate your Office 365 domain based on the suffix of the email address

Once the domain has been located, Office 365 triggers a Federation SSO flow to redirect you to OAM / IdP for authentication



Description of the illustration Account_Found_Page.jpg

[Description of the illustration Account_Found_Page.jpg](files/Account_Found_Page.txt)

6. At IdP enter username/password (depending on the Authentication scheme used to authenticate Federated users, LDAPScheme in this example)

7. Click Login

Description of the illustration Access_Manager_Screen.jpg

IdP validates the credentials, create a SAML 2.0 Assertion and redirects the user back to Office 365 where the user is granted access:

Description of the illustration Office_Screen.jpg

A sample SAML 2.0 Assertion sent by OAM / IdP to Office 365 looks like:

<samlp:Response ... Destination="https://login.microsoftonline.com/login.srf" ID="ideBpq-cnpGfrWXMpBIjxN7QPQKa6WTVtnuZZr0Qe" InResponseTo="_d111d2a7-3475-4bc2-928f-34b83a4a0f64"IssueInstant="2014-01-18T16:58:05Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">https://acme.com/oam/fed</saml:Issuer <samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>

<saml:Assertion ID="id-nTZcRuTaECKj2X9wzUTn7e-CknyECbGljTSo1T70"

IssueInstant="2014-01-18T16:58:05Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">https://acme.com/oam/fed</saml:Issuer

<dsig:Signature>

<dsig:SignedInfo>

<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-ex c14n#"/>

<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rs sha1"/>

<dsig:Reference URI="#id-nTZcRuTaECKj2X9wzUTn7e-CknyECbGljTSo1T70">

<dsig:Transforms>

<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelope signature"/>

<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</dsig:Transforms>

<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"

<dsig:DigestValue>6iKaxdO74Xi5eRnv0X7nsmN/y10=</dsig:DigestValue>

</dsig:Reference>

</dsig:SignedInfo>

<dsig:SignatureValue>WYCBhIgPLafDeXroMSME80/QM...K/sNsI=

</dsig:SignatureValue>

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509Certi=cate>MIIB+DCCAWGgA...plaoMZLcRoInVUbGTBDMfqmW5iZ/wjpzItg==

</dsig:X509Certi=cate>

</dsig:X509Data>

</dsig:KeyInfo>

</dsig:Signature>

<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"NameQuali=er="https://acme.com/oam/fed"SPNameQuali=er="urn:federation:MicrosoftOnline">alice.appleton</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData InResponseTo="_d111d2a7-3475-4bc2-928f-

34b83a4a0f64" NotOnOrAfter="2014-01-18T17:03:05Z"

Recipient="https://login.microsoftonline.com/login.srf"/></saml:SubjectCon=rmatio

</saml:Subject>

<saml:Conditions NotBefore="2014-01-18T16:58:05Z"

NotOnOrAfter="2014-01-18T17:03:05Z">

<saml:AudienceRestriction>

<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2014-01-18T16:58:05Z" SessionIndex="id-IMSvfoQa8uVVtSmN-lrdOfgEVKFJHF8AhmIDzj-"

SessionNotOnOrAfter="2014-01-18T17:58:05Z">

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnCon </saml:AuthnContext>

</saml:AuthnStatement>

<saml:AttributeStatement>

<saml:Attribute Name="IDPEmail"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema xsi:type="xs:string">alice.appleton@acme.com</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>

</samlp:Response>

ActiveSync Mail Application

For this test, add an Exchange email account on an iPhone. During the setup, the iPhone mail application sends the email address and password to Office 365 mail server, which extracts the user identifier from the email address and perform the SAML 2.0 ECP protocol with HTTP Basic Authentication.

Note: A similar flow is exercised if the setup involved an Outlook Desktop application instead of the iPhone mail native application.

Perform the following steps to set up the iPhone with Office 365:

1. Go to Settings

2. Go to Mail

3. Add Account

4. Select Exchange



Description of the illustration Add_Account.jpg

5. Enter the email address (alice.appleton@acme.com in this example)

6. Password at OAM for the user (password for alice.appleton user; remember that the identifier will be used as the HTTP Basic Authentication username, alice.appleton in this example)



Description of the illustration Exchange_Screen.jpg

7. Click Next

The mail application sends the user account information to Office 365 mail server Office 365 mail server interacts with OAM / IdP via the SAML 2.0 ECP protocol to validate the data, with the user identifier and password sent via HTTP Basic Authentication to OAM / IdP



Description of the illustration Verifying_Screen.jpg

Upon successful validation, the iPhone shows:



Description of the illustration iphone_Screen.jpg

8. After showing the successful validation, the iPhone displays a screen allowing the user to select which feature to enable. After selecting the features, save. The account is set up now.

Description of the illustration Account_Setup.jpg

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Integrating Office 365 with OAM and IdP

F60938-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.