Date: Fri, 29 Mar 2024 10:13:21 +0100 (CET) Message-ID: <157497532.7714.1711703601988@wiki01p.surfnet.nl> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7713_1834148068.1711703601988" ------=_Part_7713_1834148068.1711703601988 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
You can federate your local identity store with the Office 365 environme= nt. The main reason to use federated authentication is so users only f= ill out their password in trusted environments. This blog<= /a> highlights what makes a secure login. When using federated authenticati= on, which Microsoft calls 'moder= n authentication', you can either do this with SURFconext = or directly with the Microsoft cloud. Federated authentication is limited b= y the possibilities of the underlying protocols. Both Microsoft federated l= ogin and SURFconext use those protocols. From a functional point it makes n= o difference whether you federate through SURFconext or using Microsoft fed= erated authentication.
Note that even though users will authenticate using the SAML 2.0 protoco= l, all your Office 365 users need to be created (provisioned) in Azure AD, = in order for 'Office 365' to recognise users that want to login. The tool t= hat is being used to sync your domain users with the Azure AD is called AAD= Connect.
When deciding whether to use SURFconext when you choose for federated lo= gin, keep in mind: when you contact Microsoft support to troubleshoot issue= s, it's likely they don't know SURFconext and SAML, and they might assume y= our problem is related to SURFconext. You could be told to check with the S= URFconext team. Troubleshooting in a complex environment with large compani= es sometimes is complex enough, so it might help when the complete connecti= on is Microsoft-only .
For institutions opting for federated authentication via SURFconext, = the below information helps you configure such a connection.
This Step-by-Step guide contains several Powershell scripts and explanat= ions for the following steps:
You can use parts of the scripts or run every step on the servers you wa= nt to configure. Be aware that every step has its own variables where you w= ill have to set your own configuration options.
***In case you already have a domain set up, you may skip this s= tep and continue with step 2***
To use the AAD Connect tool and sync your users between your (on-premise= ) domain and the Azure AD, you would need a domain and a domain controller.= This Powershell script, will install the ADDS role and DNS.
########################################### IN= STALL ADDS ROLE AND DNS ###########################################=20 $ComputerName =3D "YOUR COMPUTER NAME" $DomainName =3D "YOUR DOMAIN NAME" $DatabasePath =3D "C:\Windows\NTDS" $DomainMode =3D "Win2012R2" $DomainNetbiosName =3D "YOUR DOMAIN NETBIOSNAME" $ForestMode =3D "Win2012R2" $Logpath =3D "C:\Windows\NTDS" $SysvolPath =3D "C:\Windows\SYSVOL" #### Get Windows features to check if the ADDS role is available #### Get-windowsfeature #### Installing the Active Directory Domain Service #### Install-windowsfeature AD-Domain-Services #### Import the required modules for the ADDS Deployment #### Import-Module ADDSDeployment #### Install new Domain Controller in a new Forest #### Install-ADDSForest -DomainName $DomainName -NoDnsOnNetwork -DatabasePath $D= atabasePath -DomainMode $DomainMode -DomainNetbiosName $DomainNetbiosName -= ForestMode $ForestMode -LogPath $Logpath -SysvolPath $SysvolPath -CreateDns= Delegation:$false -InstallDns:$true -NoRebootOnCompletion:$false -Force:$tr= ue #### Install ADDS Tools #### Import-Module ServerManager Add-WindowsFeature RSAT-ADDS-Tools
***In case you already have AD FS set up, you may skip this step= and continue with step 3***
To be able to federate through ADFS, you would need to install the ADFS =
role. Also you will need a service account for ADFS. We used a Group Manage=
d Account. Check this blog for mor=
e information about Group Managed Service Accounts.
We used a scenario without an ADFS Proxy (WAP), but you could add an ADFS =
proxy to this setup.
########################################### IN= STALL ADFS ROLE ###########################################=20 $gMSAName =3D "gMSA-ADFS" $DNSHostName =3D "YOUR ADFS DNS HOSTNAME (EG: adfs.yourdomain.com)"=20 $ServPrincName =3D "host/YOURADFSDNSHOSTNAME (EG: host/adfs.yourdomain.com)= " $Path =3D "SERVICE ACCOUNT PATH (EG: CN=3DManaged Service Accounts,DC=3Dyou= rdomain,DC=3Dcom" =20 #### To create a group managed service account, you have to create a KDS Ro= ot Key #### #### Create KDS Root Key (The -10 is only usefull in a testing environment = and will ensure immediately effectiveness) #### Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) #### Create new Group Managed Service Account New-ADServiceAccount -Name $gMSAName -DNSHostName $DNSHostName -ServicePrin= cipalNames $ServPrincName -Path $Path #### Install IIS Role #### Install-WindowsFeature -name Web-Server -IncludeManagementTools #### Install ADFS Role #### Install-windowsfeature adfs-federation -IncludeManagementTools
You will need to have a working AAD Connect configuration before continu=
ing with the next steps. In case you don't have a working AAD Connect setup=
, please follow the instructions in the setup guide below.
This guide contains the configuration steps that we used and it is a worki=
ng configuration for our reference topology. Of course there are many other=
configurations possible, so please choose the configuration, needed for yo=
ur topology.
You can download the AAD Connect tool =
here.
You can find more information on supported topologies on =
this page.
There is also more information to be found about the express or custom installation of AAD Connect.
***In case you already have a SURFconext connection, you may ski= p this step and continue with step 5***
In this step you will create the (mandatory) claims descriptions for SUR= Fconext
########################################### C= reate ADFS Claim Descriptions ########################################### #### ADD UID CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:uid -ClaimType ur= n:mace:dir:attribute-def:uid -ShortName uid -IsAccepted $false -IsOffered $= false #### ADD MAIL CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:mail -ClaimType u= rn:mace:dir:attribute-def:mail -ShortName mail -IsAccepted $false -IsOffere= d $false #### ADD DISPLAYNAME CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:displayName -Clai= mType urn:mace:dir:attribute-def:displayName -ShortName displayName -IsAcce= pted $false -IsOffered $false #### ADD schacHomeOrganization CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name schacHomeOrganization -ClaimType urn:mace:te= rena.org:attribute-def:schacHomeOrganization -ShortName schacHomeOrganizati= on -IsAccepted $true -IsOffered $true #### ADD eduPersonAffiliation CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:eduPersonAffiliat= ion -ClaimType urn:mace:dir:attribute-def:eduPersonAffiliation -ShortName e= duPersonAffiliation -IsAccepted $true -IsOffered $true #### ADD eduPersonEntitlement CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:eduPersonEntitlem= ent -ClaimType urn:mace:dir:attribute-def:eduPersonEntitlement -ShortName e= duPersonEntitlement -IsAccepted $false -IsOffered $false #### ADD employeeNumber CLAIM DESCRIPTION #### Add-ADFSClaimDescription -Name urn:mace:dir:attribute-def:employeeNumber -C= laimType urn:mace:dir:attribute-def:employeeNumber -ShortName employeeNumbe= r -IsAccepted $false -IsOffered $false
***In case you already have a SURFconext connection, you= may skip this step and continue with step 6***= strong>
In this step you will create (mandatory) claims rules. There are claims =
rules that are mandatory for SURFconext, but also claims rules that are man=
datory for the use of Azure AD.
One of the attributes that will have to be provided, is the ImmutableID. T=
his claims rule is included in the text file below. You can find more =
information about AD FS claims and Azure AD on this site.
Also needed is an attribute containing the user's mail address. Azure AD=
expects this attribute to have the name IDPEmail
. However, wh=
en your Identity Provider already discloses the standard SURFconext attribu=
te urn:mace:dir:attribute-def:mail
, its value is automatically=
mapped to the IDPEMail
attribute by SURFconext. When you are =
using this page for your configuration, you won't have to add a separate cl=
aims rule for IDPEmail.
You can download the required claim issuance rules file for the $ClaimIs= suanceFile parameter here: ClaimIssu= anceRules.txt
#### CREATE SURFCONEXT RELYING PARTY TRUST ###= # $RelyingPartyTrustName =3D "SURFconext" $MetaDataURL =3D "https://metadata.surfconext.nl/sp-metadata.xml" $ClaimIssuanceFile =3D "THE LOCATION OF YOUR CLAIM ISSUANCE RULE FILE" $ACPName =3D "Permit everyone" Add-ADFSRelyingPartyTrust -Name $RelyingPartyTrustName -MetadataUrl $MetaDa= taURL -IssuanceTransformRulesFile $ClaimIssuanceFile -AutoUpdateEnabled:$tr= ue -MonitoringEnabled:$true -AccessControlPolicyName $ACPName
In this step, you will configure the SURFconext Federation for Office 36=
5. You will have to send your metadata URL to SURFconext, so they can confi=
gure it. This metadata URL usually looks like this: https://adfs.yourdomain.nl/Fed=
erationMetadata/2007-06/FederationMetadata.xml .
You will receive a passive logon URI from SURFconext, that you will have t=
o use for the $sso parameter in the script below. You can find the certific=
ate key on this page, that you w=
ill need for the $crt parameter in the script below.
########################################### CO= NFIGURE THE SURFCONEXT FEDERATION #########################################= ## $dom =3D "YOUR DOMAIN NAME" $slo =3D "https://engine.surfconext.nl/logout" $idp =3D "YOUR FEDERATION SERVICE IDENTIFIER URL" $crt =3D "MIID7DCCAtSgAwIBAgIJAIgMqnMYZ+t6MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDV= QQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VS= Rm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSYwJAYDVQQDDB1lbmdpbmUuc3VyZmNvbmV= 4dC5ubCAyMDE4MTIxMzAeFw0xODEyMTMxNTI5MjBaFw0yMzEyMTMxNTI5MjBaMIGFMQswCQYDVQ= QGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSR= m5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSYwJAYDVQQDDB1lbmdpbmUuc3VyZmNvbmV4= dC5ubCAyMDE4MTIxMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOGS+fBERfmWi= V8aV85z45QsuFw3gkq0HbWR1JGz7cjqhjV6YZHFXyRt4ikG//9BIHS0xc/cW1sOMnSuCjDhY8Oh= /dOk01zfgFXUcv+0iNlkEKGMlT/xJpIDIy/N4WjpGvkJO2oJHfrQUY115Du56MSMqd0gPvo1OsD= vXroYivqxYpTTHzaf5TYQYPf6n/3rEfsu3u6L3pzE3/q38jnEyxfQ1UoZ9VF2Fy6oe/StlwhPUJ= hVwHlKDMqQ+T+tljDt26Ok9QL3zzW9JtBo+pnydMT/rg5h7NW8A9HASLnRLK8rFD9nBEdAPkK+e= lTE6QddRiTh9H84KCs0fQiiT6YFsCAwEAAaNdMFswHQYDVR0OBBYEFAJuZa7u0f0o2kB9uRPoB/= ekx04sMB8GA1UdIwQYMBaAFAJuZa7u0f0o2kB9uRPoB/ekx04sMAsGA1UdDwQEAwIHgDAMBgNVH= RMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBXh5l8u+ncPXkMyDqDuikNLe/X5j0KNjvqUtQ6= QPRSt8MMvjRYWZdVC0gMOtKEAY1/cYnA2y+0yrGqmy9I/zBdLV73BBLnVlV2WYATYOZLWNW36kj= BtdSbH0oXBp7HOu/I4lP+Sv69eRN6p2/9CmDyKc5JUpXU3PEftv5Lwsqco8MMqqENhwzYlxRb96= LFq08Un2QQoV60HqX4Ks79qUrnjRL5pKtoP4ujLmPqQIieHpTgsvHSqSa+9tZMnyEaJEvl7vpNn= 1M7v1bWOWwjQvMlYnSq5b0U5gHXgpdBYSfWnCwwpq4h8KHZ7/XVvOVsdYpjHap+907OGhqXGBsI= qf9U" $sso =3D "THE PASSIVE LOGON URI YOU RECEIVED FROM SURFCONEXT" #### CONNECT TO OFFICE 365 #### Connect-MsolService #### SET THE AUTHENTICATION TO MANAGED FIRST #### Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed #### SET THE AUTHENTICATION TO FEDERATED, INCLUDING THE FEDERATION SETTINGS= #### Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Au= thentication Federated -PassiveLogOnUri $sso -SigningCertificate $crt -Issu= erUri $idp -LogOffUri $slo -PreferredAuthenticationProtocol Samlp
Regarding the value for '$idp =3D "YOUR FEDERATION SERVICE IDENTIFIE= R URL"':
Regarding the value for '$sso =3D "THE PASSIVE LOGON URI YOU RECEIVE= D FROM SURFCONEXT"':
When your users are using Microsoft Outlook or other rich clients, you w= ill have to enable modern authen= tication. This can be done with the script below.
############################ SET MODERN AUTHEN= TICATION TO BE ABLE TO USE RICH CLIENTS SUCH AS OUTLOOK ###################= ############## #### CREATE EXCHANGE ONLINE SESSION #### $Session =3D New-PSSession -ConfigurationName Microsoft.Exchange -Connectio= nUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCred= ential -Authentication Basic -AllowRedirection #### IMPORT EXCHANGE ONLINE SESSION #### Import-PSSession $Session #### SET MODERN AUTHENTICATION TO TRUE #### Set-OrganizationConfig -OAuth2ClientProfileEnabled $true #### REMOVE EXCHANGE ONLINE SESSION #### Remove-PSSession $Session
To check if you send the required claims to SURFconext, you can use <= strong>this debug tool.