VMware Identity Manager and Office 365 Integration

Office

Office 365 Prerequisites

For Office 365 SSO to work with VMware WorkspaceONE you need to have a few prereqs.

  • Microsoft Office 365 Business Premium account
  • Access and credentials for the Microsoft Office 365 Tenant Admin Portal
  • Attributes userPrincipalName and object GUID enabled in WorkspaceOne
  • PowerShell must be installed on the Windows server with Azure PowerShell modules msoidcli_64.msi

Change the O365 from Managed to Federated:

Connect via PowerShell with Connect-MsolService and enter your O365 admin credentials.
With Get-MsolDomain you can check the available domains.

Now you need to build your command to change O365 domain from managed to federated.

Create one string of all the required options and paste them into your connected to o365 PowerShell window.

Set-MsolDomainAuthentication -DomainName yourDomain -Authentication Federated  -IssuerUri “AnyUniqueID” -FederationBrandName “WorkspaceName” -PassiveLogOnUri “https://WorkspaceURL:443/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://WorkspaceURL/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://WorkspaceURL/SAAS/auth/wsfed/services/mex” -SigningCertificate YourWorkspaceCert

The cert you need is found in WorkspaceONE on the SAML Metadata page.
If you run into the message that you cannot change your primary domain then make the MS domain default for the time being and convert it back to your desired state after changing to a federation.

To change default domain:
Set-MsolDomain -Name “yourdomain.onmicrosoft.com” -IsDefault

Issues:
Had issues with the IssuerUri, this had to be unique instead of any other same value used in the string. You will get an error if it’s not unique!

If all is good you will see that the federation is enabled and your SSO to O365 should work fine.
You do not need to set it back to default domain, you will not be able to do it.

Troubleshooting tools:

To trace SAML and WS Federation you can use a chrome add-on: rcFederation SAML and WS-Federation tracer
This tool will help you and trace possible SAML failures.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.