2. Home
  4. Docs
  6. The Access Platform
  8. Application Integration Guide
  10. BeanLogin Integration with Office 365

BeanLogin Integration with Office 365

Overview

Office 365 is a line of subscription services offered by Microsoft, as part of the Microsoft Office product line. The brand encompasses plans that allow the use of the Microsoft Office software suite over the life of the subscription, as well as cloud-based software as service products for business environments, such as hosted Exchange Server, Skype for Business Server, and SharePoint among others. This guide details the necessary steps to establish SSO for Office 365 using BeanLogin.

The guide assumes that you already have an existing Office 365 subscription.

 

Create As Password-Vault App Create As SAML App User Provisioning Supported
Supported Supported Supported

SSO Configuration in BeanLogin

Below are the steps involved in configuration of Office 365 within BeanLogin.

  1. Login to BeanLogin as an Administrator.
  2. Navigate to Administration >> Access Management >> Corporate Apps.
  3. Click New.
  4. Select Office 365 from the list of apps and click it will give option whether to add as password-vault/SAML based on choice select the proper option and click on Add Selected Apps. It will add apps under corporate section with status as inactive.
  5. In Corporate app click on the Office 365 app, it will open app in edit mode.
  6. Enter your domain name and provide your global admin credentials in authentication section.
  7. If you want to enable the SSO on Office side through BeanLogin enable the Is SSO Enabled ? checkbox.
  8. Submit.

SSO Configuration in Office 365

Pre-requisites

  1. Microsoft requires the use of Powershell commands to enable SSO for Office 365. That being said, any user who has basic understanding of command prompt within Windows systems should be able to execute the steps detailed in this section.
  2. A Windows machine, preferably Windows 8 or above, or Windows 2012 or above.
  3. Download and Install PackageManager for Powershell from the link below:

https://www.microsoft.com/en-us/download/details.aspx?id=51451

Enable SSO

    1. Open Powershell as an Administrator.
    2. Install Microsoft Online module by executing the command below.
Install Microsoft Online module

Install-Module -Name MSOnline
    1. Enter the Microsoft O365 Global Administrator credentials.
Enter O365 Global Admin Credentials

$cred = Get-Credential
  1. When you run the above command enter the O365 Global Administrator credentials in the pop-up.
  2. Connect to Microsoft Online Service.
  3. Connect to MS Online Service using the credentials supplied

Connect-MsolService -Credential $cred
  4. Enter the domain for which you want to enable SSO.
  5. Enter domain information

$dom = "contoso.com"
  6. Enter the BeanLogin SSO Login endpoint URL. Replace the <guid> with the Entity ID value from Step #4 in the previous section.
  7. Configure Login URL

$url = "https://portal.beanlogin.com/Federation/SAML2SSO.aspx?idpid=<guid>"
  8. Enter the BeanLogin Logout endpoint URL.
  9. Configure Logout URL

$logouturl = "https://portal.beanlogin.com/Federation/SAML2SLO.aspx"
  10. Enter the BeanLogin Issuer URI. Replace the <guid> with the Entity ID value from Step #4 in the previous section.
  11. Configure Issuer URI

$uri = "urn:federation:beanlogin:<guid>"
  12. Enter the BeanLogin token signing cert.
  13. Configure Certificate

$cert = " MIIDzDCCArQCCQDCN6phKMHdHzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExGjAYBgNVBAoMEUEmSSBTb2x1dGlvbnMgSW5jMREwDwYDVQQLDAhTZWN1cml0eTEhMB8GA1UEAwwYZmVkZXJhdGlvbi5iZWFubG9naW4uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBiZWFubG9naW4uY29tMB4XDTE4MDUxMTE4NDU0M1oXDTIwMDUxMDE4NDU0M1owgacxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRowGAYDVQQKDBFBJkkgU29sdXRpb25zIEluYzERMA8GA1UECwwIU2VjdXJpdHkxITAfBgNVBAMMGGZlZGVyYXRpb24uYmVhbmxvZ2luLmNvbTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AYmVhbmxvZ2luLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+TL/JsIkoP/xC8OIEoLyAVqBmw1ZwtmhPjGNeEBpC7Qzu9sWDGvoJXOuOwZXOZYv54ovwNOBLYeqbtp1isG5+owpP2a3vmf4r84HTg1sUzLer/zmBO2gP1Jfa6h/nxuUWU3uiXY9aQQ94tXQ50t+ZkP05rOck+i/XNqgad+rAnSs/GIpKXfz9PYAMuXumr/mS0gO3496h2WWO0XKbgL/w8diuHjom/Uc7LIOGA8I8I23cDtnVJkeOax6rO5MsLUJkKTscoKalHBVet+FiDzvVU6omUk2+vnLlEAgdG1rSIvqlbDDvS2GbG4SDXj2JKsquP5AcBJ/o0UbAALmTF5lkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABSdo5WyVsZDBWaWQ2LkrHkBeovjXkFEl4HA2iXEJSaaKi8zVBFZfzFs5VD9k7JNSZQMqzKhf0NRbiWuP3WqNm7QlB6WRZ2T/gUt9vv2traTh/WTi5ZD4Sk6g1fKnq3Xo+ZkEiJkZvHVzYlh9eJyq5g+Swc8qxie1MZ0Lz6tOvOc3g3omVNHUcX34TBn0hRobYKCJyfHWsTce9L7UiUlN9A0JtyAfgsmkhbiriSQHJxc/qkeNTG6Pk3KDB1HGYQ60Pa9/Kwmtb/bQH0gXxk/YXGXt52IYd2o2TNd8800nYTr9e94JdaP45ppuyrMp7ET0FkP/1rGoi8MyHG+f4uSBRA=="
  14. Run the below command to enable SSO in Office 365. Please note that it may take upto an hour for SSO to get enabled on the Office 365 side.
  15. Enable SSO

Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
  16. Run the below command to disable SSO in Office 365.
  17. Disable SSO

Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Manage

Add New Users in Office 365

Provisioning new users in Office 365 involves two steps.

    1. Add new user
Add New User

New-MsolUser -UserPrincipalName jdoe@contoso.com -ImmutableId jdoe@contoso.com -DisplayName "John Doe" -FirstName John -LastName Doe -AlternateEmailAddresses "john.doe@gmail.com" - UsageLocation US
    1. Assign License to the newly created user
Assign O365 License

Set-MsolUserLicense -UserPrincipalName jdoe@contoso.com -AddLicenses contoso:O365_BUSINESS_PREMIUM

Federation Worksheet

The below tables contains the parameters that you need to keep handy before you configure SSO.

ParameterValueComments
$domThis is your domain. Ex: contoso.com. Please note that the status of the domain must be "Verified" prior to enabling SSO on the Office 365 side
$urlhttps://portal.beanlogin.com/Federation/SAML2SSO.aspx?idpid=This is the SSO Login endpoint of BeanLogin. Replace the with the guid assigned to your Organization.
$logouturlhttps://portal.beanlogin.com/Federation/SAML2SLO.aspxThis is the Logout endpoint of BeanLogin
$uriurn:federation:beanlogin:This is the Issuer URI unique to your Organization. Replace the with the guid assigned to your Organization.

Provisioning Configuration in BeanLogin

You can enable the provisioning from the two places

  1. From Corporate App Edit where you have last step as Provisioning.
  2. From Identity Management -> Endpoint Provisioning Section.

For Office 365 you just have to provide you Global admin cred in provisioning section.

Based on the Specific group selection and app and provisioning status user will get created in the Office side.

Also you can assign the license from BeanLogin screen.

Was this article helpful to you? Yes No

How can we help?