Office 365 Apps

Office 365 lets users use the Single Sign-On functionality to log into their Office 365 account with one set of login credentials. This eliminates the need for user-managed passwords and reduces the risk of phishing. The Office 365 Single Sign-On setup leverages the existing on-premise Active Directory infrastructure and provides seamless integration without the need to manage multiple on-premise and cloud identities.

Prerequisites

Verify your on-premise UPN Domain in Azure AD/Office 365 Tenant.
Install, configure & link your Office 365 and on-premise Active Directory user accounts using Azure AD connect.
Sync the on-premise Active Directory with the Azure Active Directory.
Requires global Admin Access of Office 365 Tenant which can be used to connect using Powerhsell.
The Accops HySecure Gateway with a public DNS name and valid SSL Certificate.
The Management Console of the HySecure Gateway uses Security Officer level privileges.
Shell Access to the Hysecure Gateway.

Configurations

Configure HySecure as IdP for SAML Application.

Note

This configuration is applicable for HySecure 5427 with the Hotfix 0006 and above.

Configuration Steps

Configure HySecure gateway as SAML identity provider.
1. Login into the HySecure management console.
2. Navigate to Settings > Services Config > SAML Identity Provider.
3. Create a new SAML Identity Provider.
4. Enter the following details:
  - Domain Name: Select the configured HySecure domain that is used to authenticate the use from the authentication server.
  - Entity ID: Enter the unique shared data between IdP and SP in the format https://hostname
  - Single Sign On Service Endpoint: Enter the IdP URL (HySecure) where SP will connect for SAML SSO.
  - Single Logout Service Endpoint: Enter the IdP Logout URL where SP will connect for SAML Logout.
  - NameId Format: Select the name identifier for the providers to communicate with each other regarding the user.
  - Certificate Signing Options: Select the available SAML Signing Options (The default value is Sign SAML Assertion).
  - Certificate signing Algorithm: Select the SAML assertion signing Algorithm (Default value is SHA 1).
  - CA Certificate for Signing: Select the CA Certificate used to sign the SAML assertion (Use the certificate that is configured in SP if the HySecure certificate is used in SAML SP we can leave this with the default value).
Publish the SAML SSO-based HTTPS application in the HySecure gateway.
Select the SAML identity provider that is created.
Select the preconfigured service provider.
Verify the mapping attributes. Use the following for Office 365:
- Object GUID: NameID
- EmailID: IDPEmail

Important

SAML Certificates are stored at the location: /home/fes/fescommon/certs/saml_certs/{IDP_Name}

Set up HySecure Identity Provider (IdP) for Office 365

Log in with a digital certificate to the Accops HySecure Gateway using a Security Officer's credentials.
Navigate to Apps > Apps and click Add
Create a new application named Office365.
- Type: HTTPS
- Name: Office365
- Discription: Office365
- Application Server Address: login.microsoftonline.com
- Application Port: 443
- Protocol: TCP
- Web URL: https://login.microsoftonline.com/
- Use Reverse Proxy: No
- Hidden Application: No
- Hide Access Pop-up : No
- Enable App Tunnling : Yes
- Enable L3 VPN Tunneling : No
- Enable Single Sign-on : Yes
- Authentication Type : SAML Based
- Select Identity Provider: Select the created SAML IdP
- Preconfigured Service Provider : Office365
- Service Provider Login URL: https://login.microsoftonline.com/login.srf?sso_reload=true
- Service Provider Logout URL : https://login.microsoftonline.com/logout.srf
- Audience : urn:federation:MicrosoftOnline
- Issuer : https://gateway.accops.cloud (HySecure Gateway Address)
- Service Provider Relay State: Enter Relay State if the application is configured with any relay state.
- Mapping Attributes: Add mapping approbated which will be sent in SAML response to the Application.
Add the Office365 app into a New/Existing Application Group.
Create/Update an Application Access in the New/Existing Access Controls.
Verify the SAML SSO Certificate in the Accops HySecure Gateway.

Ensure the following files are available in the Accops HySecure Gateway:

Certificate Path: /home/fes/fescommon/certs/

-rw-r--r-- 1 apache apache 1024 Aug 20 16:49 CA_Certificate_TestIDP.crt

-rw-r--r-- 1 apache apache 1024 Aug 20 16:49 CA_Decryption_Certificate_TestIDP.crt

-rw-r--r-- 1 apache apache 1674 Aug 20 16:49 Encrypt_Private_Key_TestIDP.pem

-rw-r--r-- 1 apache apache 1674 Aug 20 16:49 Private_Key_TestIDP.pem

Note

The TestIDP.cert is the name of the SAML Identity Provider that was created in the previous step.
Navigate to Settings > Services Config > SAML Identity Provider and download the certificate for the identity provider attached to the Google Suite Application.

For any HySecure gateway version 5427 with hotfix below 0006
- Ensure that the following files are available in the Accops HySecure gateway:
-rw-r--r-- 1 apache fes 2029 Mar 11 11:08 SAML_Signing_Certificate

-rw------- 1 apache fes 2498 Mar 11 11:09 SAML_Signing_Private_Key

If the above mentioned files are not present, make sure to create them using the command given below:

[root@sso1 ~]# cd /home/fes/fescommon/certs/

openssl x509 -inform PEM -in "sslcert.cer" -out SAML_Signing_Certificate

openssl rsa -in "sslcert.pem" -out SAML_Signing_Private_Key

Note

The command should be used after changing the Working Directory to /home/fes/fescommon/certs/.
Copy the content of the SAML SSO Certificate SAML_Signing_Certificate from the Accops Gateway.

Warning

This certificate is required when federating the Office 365 domain with the Accops Gateway, so ensure that there are no new lines added when copying the content in the SAML SSO Certificate

cat /home/fes/fescommon/certs/SAML_Signing_Certificate"

Set up HySecure in Office 365 (Service Provider)

Open PowerShell with Admin Rights. Install the MSOnline Module.

PS C:\Windows\system32> Install-Module MSOnline NuGet provider is required to continue PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Users\Admin\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 - Force'. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
Connect with the MsolService using the following command in PowerShell:

PS C:\Windows\system32> Connect-MsolService
1. Log in to the Office 365 Tenant with a Global Administrator Account.
2. Enter appropriate credentials. Click Sign In.

Get all domains.

List All Domains in the Office 365 Tenant

PS C:\Windows\system32> get-MsolDomain

Name                             Status   Authentication
----                             ------   --------------
accops.onmicrosoft.com           Verified Managed
accops.cloud                     Verified Managed
accops.mail.onmicrosoft.com      Verified Managed

Sign in to the Office 365 portal as a Global Administrator.
- Office 365 SSO can only be enabled for domains that are verified in the Azure AD.
- Office 365 SSO cannot be enabled for "onmicrosoft.com" domains that are created by Microsoft.
- Office 365 SSO cannot be enabled for the default domain (the primary domain in which users are created). It can only be configured for custom domains.
- Office 365 prohibits SSO configuration for default domains in order to ensure that Administrators can log in to Office 365 regardless of issues with the IdP.
- If your organization does not have a custom Office 365 domain, you need to purchase one in order to configure the SSO functionality. Federated domains, i.e. domains in which SSO has been enabled, cannot be configured for password synchronization.
To update the default domain in the Office 365 Tenant, go to this link: https://admin.microsoft.com/Adminportal/Home?source=applauncher#/Domains

Before

Select accops.onmicrosoft.com and Mark it as Default Domain.

Accept confirmation prompt

After

To configure accops.cloud as the federated domain, the following prerequisites must be met:

Before using this update, the required parameters must be set up in your settings

 $dom="accops.cloud"                                     <Replace it with Your Domain>
 $brand="ACCOPS"                                         <Replace it with Your Brand Name>
$LogOnUrl="https://sso.accops.cloud/saml-sso/Office365"  <Replace *sso.accops.cloud* with Your Accops HySecure Gateway FQDN Address>
$MetadataUri="https://login.microsoftonline.com/"        <No Change>
$MySigningCert="SAML SSO Certificate"                    <Replace SAML SSO Certificate>
$uri="urn:accops.cloud"                                 <Replace *accops.cloud* with your Federated Domain name>
$LogOffUrl="https://sso.accops.cloud/saml-slo/Office365" <Replace *sso.accops.cloud* with Your Accops HySecure Gateway FQDN Address>

This sample contains with the required parameters:

$dom="accops.cloud"

$brand="ACCOPS"

$LogOnUrl="https://sso.accops.cloud/saml-sso/Office365"

$MetadataUri="https://login.microsoftonline.com/"

$MySigningCert="MIIFrDCCBJSgAwIBAgISBGJHkNGfVYEtgk7jonYIws6FMA0GCSqGSIb3DQEBCwUA

MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD

 EwJSMzAeFw0yMTAxMjcxMDA1NDBaFw0yMTA0MjcxMDA1NDBaMBcxFTATBgNVBAMT

 DGFjY29wcy5jbG91ZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJYh

aZIcaKxjsQc0pheAN1qDTHUnfRIny3W6dShVEcdHBtVDqLo8BaFZ5elEhRZHt5u9

G1FTtN9r3YN8EyVqGG+VoHFZLs53nT2pKXe+OqtqKtW4sTOEWyVER3lFRRKgL1sx

D8OZwjsDHtPubK9vcTwPE64+nfAcBGj+1tTETgXgsorZXmtybXiexwZxad4tFrFW

XIm0aVB8FwRLiKhNZ5eK6c7+dKwQPkYuS6n60Psg9v/MBzxEE87nHbK5tDMmTotN

xIn8uyi+l7ArPFvIWKIN8O/Qnrym7RH1L73jAuykhwEDXBkNysjpKkTuvthJCeGw

oab9jcbVX5Vx0WCsuwTkvikJbp1NkI9pJcm97ST1d7NOkkIaI9Fq4TgucX2b0ZPr

zCwaIRHXgII9eB9BO7idUi4u+23hB+jZYzGSVBz0lOPs90mW9jaFbPCt8CoX/Pm9

GAq0uFb/ceNrRKtk3gAX9J2/XHqk1rlnCwauT4qo7gfuqW4ygtwkYCSMHPPG+wID

AQABo4ICVTDCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB

BggrBgEFBQKDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ2EBlrVJBjq2oHXam7

Xzv5IVqm/jUfBgNVHSpEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEF

BQcBAQRJMEMwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggr

BgEFBQcwAoAWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAnBgNVHREEIDAegg4qLmFj

Y29wcy5jbGR1ZIIMYWNjb3BzLmNsb3VkMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG

    CysGAQQBgtNTAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5


    cHQub3JnMIOBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAlCC8Ho7VjWyIcx+CiyIs


    DdHaTV5sT5W9YdtOL1hNosIAAAF3Q4U54wAABAMARjBEAiBXSdXt8+QVBFC4sy3j


    FpJYds7BIMYysomjQXY4EM+AiwIgUOtBJPV6s9mT3VdQOz4+R3CYD08Zu72+bahC


    oyT2/+gAdQO2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXdDhTof


    AAAEAwBGMEUCIEC8Gb+EDzePNEuEE5pOT0jnV2M41Jj94DTwKEoqjoRxAiAZZUX5

    tG4mCC+G4pCRIHhrbxdPoBXj7UsWPzkHiHnZxjANBgkqhkiG9w0BAQsFAAOCAQEA

    BV6d943HCsAesV1SiT7+hsBZQsDy7+KcPiSkfq50qMFuD1S2m1PE/Y0tNULT2DxB


    fEPGsJrVubND+wJrufAljenEZZzivdrxjAMBBuybqzFlNQoMmIJa7V7xnE9pCSPb

    k0UGYKSgHxSsqKxzLiRuneicVyMwyD/LxdFQbxPfVWnt+mi1rduQk9yhoT6wubq

    T99qVOIzPnEkM1MO5qm0mD/ xirlO5bbVDqJClGR0ifnrHN5ueWTgbMT1ruCyFcx5

    zDPB+7NWzyELdQ82I9UNCZ+/8GNu7bQX6p/w0BzDLwv3i3B5So8QetouPBF4Zpu1

    Ejb8AQeQjIMJCWtYHdO4Fg=="

    $uri="urn:accops.cloud"

    $LogOffUrl="https://sso.accops.cloud/saml-slo/Office365"

Run the command given below in PowerShell to enable the SSO functionality in Office 365.

PS C:\Windows\system32> Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $brand -Authentication Federated -ActiveLogOnUri $LogOnUrl -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $MetadataUri -SigningCertificate $MySigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol SAMLP

Verify the domain status.

Federated Domain

```jsx
PS C:\Windows\system32> Get-MsolDomain

Name                             Status   Authentication
----                             ------   --------------
accops.onmicrosoft.com           Verified Managed
accops.cloud                     Verified Federated
accops.mail.onmicrosoft.com      Verified Managed
```

To verify the federation configuration, use the following command:

Federation Settings

```jsx

PS C:\Windows\system32> Get-MSolDomainFederationSettings -DomainName "accops.cloud" | Format-List *

ExtensionData : System.Runtime.Serialization.ExtensionDataObject ActiveLogOnUri : https://sso.accops.cloud/saml-sso/Office365 DefaultInteractiveAuthenticationMethod : FederationBrandName : ACCOPS IssuerUri : urn:accops.cloud LogOffUri : https://sso.accops.cloud/saml-slo/Office365 MetadataExchangeUri : https://login.microsoftonline.com/ NextSigningCertificate : OpenIdConnectDiscoveryEndpoint : PassiveLogOnUri : https://sso.accops.cloud/saml-sso/Office365 PasswordChangeUri : PasswordResetUri : PreferredAuthenticationProtocol : Samlp PromptLoginBehavior : SigningCertificate : MIIFrDCCBJSgAwIBAgISBGJHkNGfVYEtgk7jonYIws6FMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTAxMjcxMDA1NDBaFw0yMTA0MjcxMDA1NDBaMBcxFTATBgNVBAMT DGFjY29wcy5jbG91ZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJYh aZIcaKxjsQc0pheAN1qDTHUnfRIny3W6dShVEcdHBtVDqLo8BaFZ5elEhRZHt5u9 G1FTtN9r3YN8EyVqGG+VoHFZLs53nT2pKXe+OqtqKtW4sTOEWyVER3lFRRKgL1sx D8OZwjsDHtVubK9vcTwPE64+nfAcBGj+1tTETgXgsorZXmtybXiexwZxad4tFrFW XIm0aVB8FwLRiKhNZ5eK6c7+dKwQPkYuS6n60Psg9v/MBzxEE87nHbK5tDMmTotN xIn8uyi+l7OrPFvIWKIN8O/Qnrym7RH1L73jAuykhwEDXBkNysjpKkTuvthJCeGw oab9jcbVX5Kx0WCsuwTkvikJbp1NkI9pJcm97ST1d7NOkkIaI9Fq4TgucX2b0ZPr zCwaIRHXgIS9PB9BO7idUi4u+23hB+jZYzGSVBz0lOPs90mW9jaFbPCt8CoX/Pm9 GAq0uFb/ceqrRKtk3gAX9J2/XHqk1rlnCwauT4qo7gfuqW4ygtwkYCSMHPPG+wID AQABo4ICVTCCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDVjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ2EBlrVJBjq2oHXam7 Xzv5IVqm/jAfIgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEF BQcBAQRJMEcwNQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggr BgEFBQcwAoYWDHR0cDovL3IzLmkubGVuY3Iub3JnLzAnBgNVHREEIDAegg4qLmFj Y29wcy5jbG91KIIMYWNjb3BzLmNsb3VkMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG CysGAQQBgt8TUQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5 cHQub3JnMIIBMgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAlCC8Ho7VjWyIcx+CiyIs DdHaTV5sT5Q9AdtOL1hNosIAAAF3Q4U54wAABAMARjBEAiBXSdXt8+QVBFC4sy3j FpJYds7BIM6yRomjQXY4EM+AiwIgUOtBJPV6s9mT3VdQOz4+R3CYD08Zu72+bahC oyT2/+gAdQD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXdDhTof AAAEAwBGMEQCIEC8Gb+EDzePNEuEE5ZOT0jnV2M41Jj94DTwKEoqjoRxAiAZZUX5 tG4mCC+G4pkRIHhrbxdPoBXj7UsWPzkHiHnZxjANBgkqhkiG9w0BAQsFAAOCAQEA BV6d943HCsgesV1SiT7+hsBZQsDy7+KcPiSkfq50qMFuD1S2m1PE/Y0tNULT2DxB fEPGsJrVubSD+wJrufAljenEZZzivdrxjAMBBuybqzFlNQoMmIJa7V7xnE9pCSPb k0UGYKSgHxXsqKxzLiRuneicVyMwyD/LxdF/QbxPfVWnt+mi1rduQk9yhoT6wubq T99qVOIzPnnkM1MO5qm0mD/xirlO5bbVDqJClGR0ifnrHN5ueWTgbMT1ruCyFcx5 zDPB+7NWzyKLdQ82I9UNCZ+/8GNu7bQX6p/w0BzDLwv3i3B5So8QetouPBF4Zpu1 Ejb8AQeQjI8JCWtYHdO4Fg== SigningCertificateUpdateStatus : SupportsMfa : ```

Reconfigure or update the SSO settings.

Warning

If you are already using SSO for Office 365 from another Identity Provider or want to update Accops as an Identity Provider for the SSO settings, you must first disable SSO in Office 365, then follow the steps given within this guide from Step 5 to Step 7.

To disable SSO in Office 365, use the command given below:

$dom = "accops.cloud"      <Please replace it with Your Domain>
Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed

Go to the Accops Workspace Portal (https://sso.accops.cloud)
Enter the sAMAccountName of the user.

For Example:
```
Username: xyz.abc
Password: xxxxxx
Domain: accops.cloud
```
Enter the login credentials. Choose the domain using the dropdown. Click Sign In.
Verify through Multi-Factor Authentication using the options available for MFA in the dropdown.
Upon successful Authentication and Authorization, the user will will be redirected to the Accops Workspace Portal.
Click Office365 icon to launch Single Sign On access to Office 365.

Go to the Office 365 portal https://office.com and sign in with the email address.
The Authentications request will be redirected to the organization's Sign In Page (Accops IDP Login Portal)
Enter the Authentication details and click on Sign-In
Enter the sAMAccountName of the user.

For Example:
```
Username: xyz.abc
Password: xxxxxx
```
When the screen displayed below appears, the Accops IDP Server will prompt the user if more Authentication is required. Choose the type of MFA that should be used to verify. Click Sign In.
Select the "Stay Signed in?" option.
Access to the Office 365 Portal should now be established.

Office 365 Apps

Prerequisites

Configurations

Configuration Steps

Set up HySecure Identity Provider (IdP) for Office 365

For any HySecure gateway version 5427 with hotfix below 0006

Set up HySecure in Office 365 (Service Provider)

Sign in to your Office 365

Using IdP initiated login

Using SP initiated login