AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Office 365

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Office 365 using SAML.

Topics

• Prerequisites

• Setup instructions

• Provisioning Office 365 Users

• Verification

• Troubleshooting

Prerequisites

You’ll need the following to set up SSO access to Office 365:

• Access to the IAM Identity Center console with permissions to manage applications.

• A Office 365 Administrator account with permissions to configure SAML.

• A domain configured in the Office 365 Account.

• A Windows operating system required to connect to Azure AD using PowerShell.

Setup instructions

1. On the Configure page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description (optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. From a Windows operating system Install Azure Active Directory Module and then Connect to Azure AD using your Office 365 Administrator account.

3. Now that you are connected to Azure AD using PowerShell, run the command below to view the status of the domain you configured in Office 365. You will see the domain in a verified status and authentication as managed.

   Get-MsolDomain

Note

If your domain is in an unverified status, ensure you follow the steps correctly to Add the domain to Office 365.

4. Before federating the domain in Office 365, you need to gather the following information.

5. Download and copy the content of the IAM Identity Center Certificate.

6. Now that you gathered the IssuerUri, PassiveLogOnUri, LogOffUri and IAM Identity Center Certificate in steps 4 and 5. You can now federate the domain by running the Set-MsolDomainAuthentication command below. Ensure you replace the IssuerUri, PassiveLogOnUri, LogOffUri and SigningCertificate with the values gathered in steps 4 and 5. Additionally for the federation brand name, enter your Company name.

   Set-MsolDomainAuthentication -DomainName "<Your_domain_name>" -FederationBrandName "<Your_company_name>" -IssuerUri "" -PassiveLogOnUri "" -LogOffUri "" -SigningCertificate "" -PreferredAuthenticationProtocol SAMLP -Authentication Federated

Note

When you federate the domain all users will be required to authenticate with IAM Identity Center.

7. After executing the Set-MsolDomainAuthentication command successfully, use the Get-MsolDomain command to verify that the domain name has been federated. You will see your domain Authentication change from Managed to Federated.

   Get-MsolDomain

8. Go back to the IAM Identity Center console page where you are configuring the Application.

9. Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.

10. Insert these values:

Field	Value
Application ACS URL	https://login.microsoftonline.com/login.srf
Application SAML audience	urn:federation:MicrosoftOnline

11. Choose Save Changes.

Provisioning Office 365 Users

Next, you will provision users in Office 365, provisioning users in Office 365 may differ for each directory type. Complete Part A if you using IAM Identity Center Directory or Part B if you are using AWS Microsoft AD and AD Connector.

Part A: AWS Microsoft AD and AD Connector

1. On a domain joined Amazon EC2 instance or domain joined Windows Server install Azure AD Connect, to synchronize your AWS Microsoft AD users to Azure AD. If you using AWS Microsoft AD, ensure you install Azure AD following this instructions Step 4: Synchronize users from AWS Microsoft AD to Azure AD with Azure AD Connect.

2. (Optional Step), If you have an AD trust setup between your AWS Microsoft AD and another Microsoft AD either on premise or running in the AWS Cloud. You can use the single Azure AD Connect installation and include all trusted domains to synchronize to Azure AD.

3. Assign Office 365 licenses to the Office 365 users.

4. Assign a user to the application in IAM Identity Center.

Or

Part B: IAM Identity Center Directory

1. Connect to Azure AD using PowerShell with an Office 365 Administrator Account.

2. Generate a new Immutable ID for a new user by running the below PowerShell commands, take note of the immutableID returned after running the command. Example immutableID xxxxxxxxxxxxxxx==.

   $valuetoconvert = (New-Guid).Guid; $guid = [GUID]$valuetoconvert; $bytearray = $guid.tobytearray(); $immutableID = [system.convert]::ToBase64String($bytearray); return $immutableID;

3. Add a User to Azure AD. Using the command below: Replace EMAILADDRESS with the users email address, IMMUTABLEID with the Immutable ID generated in the previous step, DISPLAYNAME with the users display name, FIRSTNAME with the users First Name and LASTNAME with the users Last Name.

   New-MsolUser -UserPrincipalName EMAILADDRESS -ImmutableId IMMUTABLEID -DisplayName "DISPLAYNAME" -FirstName FIRSTNAME -LastName LASTNAME -AlternateEmailAddresses "EMAILADDRESS"

4. Assign Office 365 licenses to the Office 365 users.

5. Add a User to IAM Identity Center Directory, add the ImmutableID from step 2 to the Office 365 Immutable ID field of the IAM Identity Center Directory user, which can be found under additional attributes.

6. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Note

Users will not be able to login using SSO unless the user exists in both your directory and Azure AD/Office 365, and the user is assigned to the application.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Office 365 application.

2. In the list of applications, choose Office 365 to initiate a login to Office 365.

3. If login was successful you will be signed-in to the Office 365 application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from Office 365

1. Access Office 365 using the following URL: https://portal.office365.com/.

2. On the login page, type the email address of the user and choose Next.

3. In the user portal, login as a user assigned to the application.

4. In the list of applications, choose the Office 365 application with the display name you set earlier.

5. On the Office 365 home page, verify that both Office 365 and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Validation of protocol message signature failed (-1) -	The signature value in the SAML Assertions sent by IAM Identity Center to initiate single sign is incorrect.	Make sure that Office 365 is configured with the correct IAM Identity Center certificate.
404 OOPS! We couldn't find the page you're looking for.	The Application ACS URL specified in the identity provider is incorrect.	Make sure that the Application ACS URL is specified correctly in the identity provider.
Error validating SAML response (-1)	The Application SAML audience specified in the identity provider is incorrect.	Make sure that the Application SAML audience is specified correctly in the identity provider.
AADxxxxxxx: The user account yhpQIR48hkO/sa9PtLXjDQ== does not exist in the xxxxxx-xxxxx-xxxx-xxx directory. Experienced when using IAM Identity Center Directory.	This error occurs when the Office 365 Immutable ID assigned to the IAM Identity Center Directory User is not associated to an Office 365 user.	Make sure you add the Office 365 Immutable ID of the IAM Identity Center Directory user to the Office 365 user.
"Other"	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.