Skip to main content

Office365 Integration

Overview

Prerequisites

  1. Office 365 tenant

  2. Download Office365 metadata and store it locally:

    1. Download Office metadata and store it locally on your machine

  3. LDAP or AD BlockID user directory

  4. Microsoft AzureAD module for Windows Powershell

Integration Steps

Adding the ImmutableID Attribute to BlockID

To get started we first need to add a new attribute to BlockID:

  1. Navigate to your BlockID Administration Panel and login as a Community Administrator.

  2. Select Settings -> BlockID Attributes

  1. Click "Add New"

  1. Under name, type immutableid

  2. Click Create

  1. Verify the immutableid attribute has appeared under BlockID Attributes

Add ImmutableID Attribute Mapping

Our next step is to map the the immutableid BlockID Attribute to Active Directory:

  1. Using the left-hand menu, navigate to Directory -> Directory Integrations
  1. Scroll to your AD or LDAP User Directory and click the edit icon to the right of the directory name
  1. Click on the Attributes mapping tab
  1. Select Add new mapping
  1. Enter a Directory attribute name to map to your Active Directory infrastructure.

For this example we are using the postalcode Active Directory atttribute.

Enter the following details:

Directory attribute: postalcode

BlockID attribute : immutableid

  1. Click Create
  1. Confirm that the attribute has appeared in the Attributes mapping section.

Setup Office365 in BlockID

Adding Office365 as a Service Provider

Next we are going to setup Office365 as a service provider in our BlockID Administration Panel

  1. From the left-hand menu, navigate to Applications -> Add Application
  2. Scroll down to SAML 2.0 Generic and select Add Integration
  1. After reviewing the displayed information, select Add Application

Step 1: Basic Settings

  1. Basic Settings Provide the following details:

Application Name: Office365 (or any other name of your choosing)

Instance: Production or Sandbox

Application access URL: https://login.microsoftonline.com/login.srf

  1. Click Next.

Step 2: SAML Settings

  1. Click Upload and select the Office metadata downloaded during the prerequisites.
  1. Under Assertion Statement (NameID)* select the following attributes from the drop-down menu:

Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Value: immutableid

  1. Under Claims Mapping select Add new and enter the following attributes:

Attribute: email

Format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail

  1. Click Create.

  2. Select Next to advance to the next page.

Step 3: Advanced Options

Advanced Options will display several details that will have been populated by the uploaded metadata.

  1. Confirm all the details below:

Entity ID: urn:federation:MicrosoftOnline

Assertion Consumer Service:

Method: POST

URL: https://login.microsoftonline.com/login.srf

  1. Confirm the following details:​

Assertion and Authentication request switches are activated.

Signing Certificate and Encryption Certificate boxes are populated

Key Size: 128 Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1

  1. Click Save.

Setup BlockID in Office365

caution

Ensure that the AzureAD module has been installed for Windows Powershell has been installed before continuing.

Our next step is to configure Office365 to work with our BlockID tenant

  1. Launch Windows Powershell and connect to the Azure AD domain you wish to federate with the following command:
Connect-MsolService
  1. The Microsoft login page will launch. Enter the Administrator credentials for the domain.
  1. After successfuly signing-in, enter the following command to check the status of our domain:
Get-MsolDomain -Domainname <domain name>

Enter your domain in place of <domain name>

  1. Enter the following information
caution

This example contains information that you will need to replace with details from your own domain

$domainname = "blockiddemo.com"

Enter your domain name.

$logoffuri = "https://1k-  dev.1kosmos.net/adminapi/community/default/slo"

Enter the landing page to direct your users to after they sign out of your application.

$passivelogonuri = "https://blockid-trial.1kosmos.net/adminapi/community/default/sso"

Enter your identity provider SAML HTTP-POST endpoint

$cert = "MIICujCCAaICCQCNoHT0ux7ydjANBgkqhkiG9w0BAQsFADAfMQsw  CQYDVQQGEwJQTDEQMA4GA1UECAwHU2xhc2tpZTAeFw0yMTAzMjIxNjU5NTBaFw0yMjAzMjIxNjU5NTBaMB8xCzAJBgNVBAYTAlBMMRAwDgYDVQQIDAdTbGFza2llMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1MqdTQX++i9Tec8IYbwCmjwilkQKu6c0ZHzG+IiSYVZTF4B+/eSH40MM/BJZ8yfrixRxi7nhmviSCweueEWR5JbO/XYEGkls0jkLTdmJIv8OWAif1HeYJTN4yct7PHJ6Xh5r6kPlW6aE2jIwAvUF2YT+BfSdNUDNz7C35YUU2JzF4JWLoPp0e287oeNJa2zsyDdGsx8ZOQjNg8ucl+XFvXMSE7BaBBh7OlwaN9rvb2APVWl20axwog3LTK/hwR4gLswwOpveS4IRvkS7ReaIH5TZ9bszLT/KBZ7vNHThsixwF7zmG7EpVcXW+K0NYWdnxMCoUeHFhhM5eCS+3CcvTQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDIgN+DJgouZJEe9ysEqTrAzDcgaWgVaSTrQGa1DNoWov0A3e35Bwensw61SKp20DB4SWF5GK9menIApfz30H6aoOd5mFcNWoYjkrVue+C5B2oEXCIua9TQc7iR7Np21Twb0Ylkxm/ThINdvPxnp4DXLoVF7BfOExEHvXoOOyw2Hmbpe1z57ds2g676cez4YwfTcZB+oYibvZVa+sO3f7KFjjHnBgoJC7ltxXzpreO+UcpSqVEnehhXj+rSRJ2wHcjHtyrcMxK7CkpVHgT9ZIJqd3MpQ3QKA5KxVt9q5QFr/4ZhdHFO8sq11XXwFDFkTB1Jjy5mYjqVHMj/lBQm2HPq"

Server certificate .pem file. Remove all spaces and newlines.

$issueruri = "https://blockid-trial.1kosmos.net/newui/default/idp3"

Issuer URI set by your Identity Provider

$protocol = "SAMLP"

To ensure domain uses SAML SSO.

  1. Next, run the following command to set the configuration for your Azure AD domain:
Set-MsolDomainAuthentication -DomainName $domainname -FederationBrandName AdminX-1kdev -Authentication Federated -IssuerUri $issueruri -LogOffUri $logoffuri -PassiveLogOnUri $passivelogonuri -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol
  1. Run the following commands to retrieve SSL configuration for your Azure AD domain and validate the information is correct:
Get-MsolDomainFederationSettings -DomainName <domain name> | Format-List

Testing Office365 Integration

Next, we are going to test our Office365 integration to ensure everything is working.

  1. Open a web browser and navigate to https://www.office.com and select Sign-in
  1. You will be redirected to the Microsoft sign-in page. Enter your user email address and click Next
  1. After a quick loading message, users will will be redirected to the BlockID Login Page.
  1. Scan the QR code with the BlockID mobile application
  1. After successful authentication through the mobile application, the user is redirected to the Office365 portal.

Select Yes when asked if you wish to stay logged in.

  1. That's it! Your user account will now be fully logged in to the Office365 environment.