To enable Single Sign-On with Office 365, ADFS 3.0 is the service to be configured to implement the federation process with Office 365.
The high availability concept becomes a key point in ADFS because once you are using SSO with Office 365, you rely on your local Active Directory for authentication.
To keep the highest HA factor, ADFS components should be installed in different virtual servers of the virtual infrastructure and in different hosts to prevent loss of service due to hardware failure.
ADFS 3.0 setup UPN suffix for Office 365 SSO – pt. 1
ADFS 3.0 SSL certificate signing request – pt. 2
ADFS 3.0 install ADFS Server – pt. 3
ADFS 3.0 install WAP Server – pt. 4
ADFS 3.0 federating Office 365 – pt. 5
ADFS 3.0 install Directory Sync tool – pt. 6
ADFS 3.0 deploy Office 365 – pt. 7
To run ADFS 3.0 enabling Single Sign-On feature for Office 365, three core components need to be configured:
- ADFS Server
- ADFS WAP Server
- Directory Sync Server
The schema to setup the ADFS environment to enable SSO service is the following:
An improved design should include a load-balanced configuration in order to better distribute the load across the ADFS servers.
Setup UPN suffix
If the used internal LAN domain name doesn’t match the domain to federate with Office 365, a custom UPN suffix must be added in order to match the external name space.
Open Active Directory Domain and Trust snap-in, right click the item Active Directory Domain and Trust and select Properties option.
Type in the Alternative UPN suffixes field the domain name to match the external domain used to federate with Office 365 then click Add.
Click OK to save the configuration and close Active Directory Domain and Trust window.
The new UPN suffix must be assigned to the users in order to perform the authentication with federated domain.
Open Active Directory Users and Computers and select the users to configure. Right click the selection and choose Properties option.
Thick UPN suffix, select the correct domain name and click OK to save the configuration.
Looking at the user’s properties, the User logon name field is now set with the UPN suffix just configured.
The UPN suffix is set and both domains (internal and external) match.
Part 2 will cover the procedure to perform the SSL certificate signing request, one of the ADFS components required by Office 365 SSO.