VMware Identity Manager and Office 365 Integration

Office

Office 365 Prerequisites

For Office 365 SSO to work with VMware WorkspaceONE you need to have a few prereqs.

  • Microsoft Office 365 Business Premium account
  • Access and credentials for the Microsoft Office 365 Tenant Admin Portal
  • Attributes userPrincipalName and object GUID enabled in WorkspaceOne
  • PowerShell must be installed on the Windows server with Azure PowerShell modules msoidcli_64.msi

Change the O365 from Managed to Federated:

Connect via PowerShell with Connect-MsolService and enter your O365 admin credentials.
With Get-MsolDomain you can check the available domains.

Now you need to build your command to change O365 domain from managed to federated.

Create one string of all the required options and paste them into your connected to o365 PowerShell window.

Set-MsolDomainAuthentication -DomainName yourDomain -Authentication Federated  -IssuerUri “AnyUniqueID” -FederationBrandName “WorkspaceName” -PassiveLogOnUri “https://WorkspaceURL:443/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://WorkspaceURL/SAAS/auth/wsfed/active/logon” -LogOffUri “https://login.microsoftonline.com/logout.srf” -MetadataExchangeUri “https://WorkspaceURL/SAAS/auth/wsfed/services/mex” -SigningCertificate YourWorkspaceCert

The cert you need is found in WorkspaceONE on the SAML Metadata page.
If you run into the message that you cannot change your primary domain then make the MS domain default for the time being and convert it back to your desired state after changing to a federation.

To change default domain:
Set-MsolDomain -Name “yourdomain.onmicrosoft.com” -IsDefault

PowerShell Script to Federate

Now you have seen how it works. you can also use this SetFederation PowerShell script i created.

# This powershell script helps you to federate Office 365 to VMware Identity Manager. Source: http://10.0.1.160/vmware-identity-manager-and-office-365-integration/
# Set the variables below to configure the setup. then run the powershell script.

$DomainName = bla.com
$IssuerUri = Enter unique Name
$FederationBrandName = Enter federation Name
$PassiveLogOnUri = https://Your vIDM Domain/SAAS/API/1.0/POST/sso
$ActiveLogOnUri = https://Your vIDM Domain/SAAS/auth/wsfed/active/logon
$MetadataExchangeUri = https://Your vIDM Domain/SAAS/auth/wsfed/services/mex
$SigningCertificate = is a long code like: h8gciLuPefFjMdhDJc2 and can be found on you saml metadata page in VMware Identity Manager or WS1 Portal

# Get-MsolDomain shows the current domains and if they are managed or federated

# Connect-MsolService connects to 0365 via powershell. user 0365 Admin account to login
Connect-MsolService
Set-MsolDomainAuthentication -DomainName $DomainName -Authentication Federated -IssuerUri "$IssuerUri" -FederationBrandName "$FederationBrandName" -PassiveLogOnUri "$PassiveLogOnUri" -ActiveLogOnUri "$ActiveLogOnUri" -LogOffUri "https://login.microsoftonline.com/logout.srf" -MetadataExchangeUri "$MetadataExchangeUri" -SigningCertificate $SigningCertificate

Issues:
Had issues with the IssuerUri, this had to be unique instead of any other same value used in the string. You will get an error if it’s not unique!

If all is good you will see that the federation is enabled and your SSO to O365 should work fine.
You do not need to set it back to default domain, you will not be able to do it.

Troubleshooting tools:

To trace SAML and WS Federation you can use a chrome add-on: rcFederation SAML and WS-Federation tracer
This tool will help you and trace possible SAML failures.

Office 365 Web Apps

Now to get those Online apps working you need to create web links in the vIDM portal pointing to the urls below. By default, if you use the normal links you will always be redirected to the Office Portal landing page. Use this nice 0365 Icon Set to add pretty icons to the links. Be sure to change the 0365 Icon Set to your federated domain!

Outlook Web:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2foutlook.office365.com&domain_hint=domain.com

Outlook Calendar:
https://outlook.office.com/owa/?realm=domain.com&path=/calendar/view/Month

Excel Online:
https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rver=6%2E1%2E6206%2E0&wreply=https%3A%2F%2Foffice.live.com%2Fstart%2FExcel.aspx%3Fauth%3D2&whr=domain.com

Word Online:
https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rver=6%2E1%2E6206%2E0&wreply=https%3A%2F%2Foffice.live.com%2Fstart%2FWord.aspx%3Fauth%3D2&whr=domain.com

OneDrive:
https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rver=6%2E1%2E6206%2E0&wreply=https%3A%2F%2Fdomain-my.sharepoint.com%2F&whr=domain.com

Teams:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=5e3ce6c0-2b1f-4285-8d4b-75ee78787346&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=44cbeba2-a466-4e3c-9311-6a496edece64&&client-request-id=278ae9b0-0940-4389-abb3-3b5a8afcbb7e&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=142a4077-3679-4307-950b-3621bc350cf0&domain_hint=domain.com

SharePoint Online:
https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rver=6%2E1%2E6206%2E0&wreply=https%3A%2F%2Fdomain.sharepoint.com%2F&whr=domain.com

OneNote:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=2d4d3d8e-2be3-4bef-9f87-7875a61c29de&response_mode=form_post&response_type=code+id_token&scope=openid+profile&redirect_uri=https%3a%2f%2fwww.onenote.com%2fnotebooks%3fauth%3d2&domain_hint=domain.com

Apps Access:
https://account.activedirectory.windowsazure.com/r?whr=domain.com#/applications

Planner:
https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post&response_type=id_token+code&scope=openid&nonce=a0243d38-4633-4087-9298-ed6e47d69adb.636615430888811390&state=https%3a%2f%2ftasks.office.com%2f%3fmkt%3den-US&client_id=09abbdfd-ed23-44ee-a2d9-a627aa1c90f3&redirect_uri=https%3a%2f%2ftasks.office.com%2fauth%2fsignin&domain_hint=domain.com

PowerPoint: 
https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rver=6%2E1%2E6206%2E0&wreply=https%3A%2F%2Foffice.live.com%2Fstart%2Fpowerpoint.aspx%3Fauth%3D2&whr=domain.com

Dynamics 365:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=bab47555-038a-4434-a931-96cc6091cdd7&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dobkO7wRb5yaIDrOdhoHvtIgqo_78hXu0NBTYoa0qsx6Jx43ASKbAiO8AkCEnBcoDggTF84rFdVGqjV8B7CsE3DJ2o43pCuT-chaDVQ_kud-SxA0oFS1Vf-lGKp7NBsUA&nonce=636615439062512441.YjcxOWNjN2UtNTM3OS00ZmVhLTlkNDAtMzBmOGQwMmUzNzUyNTEyMGY0MTgtNDQ3OC00NWM0LWIzNGQtZDQ5OWZjZjVlYWIx&redirect_uri=https%3a%2f%2fhome.dynamics.com%2f&post_logout_redirect_uri=https%3a%2f%2fhome.dynamics.com&domain_hint=domain.com

Source for these weblinks

2 thoughts on “VMware Identity Manager and Office 365 Integration

  1. William Alonso

    What happens if O365 Domain is already Federated before to execute the PS Command?

    Reply
    1. LaurensvanDuijn Post author

      It will say that it’s not possible unless you change back to managed and re federate it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.