ADFS 3.0 setup UPN suffix for Office 365 SSO – pt. 1

adfs30upnsuffix01

To enable Single Sign-On with Office 365, ADFS 3.0 is the service to be configured to implement the federation process with Office 365.

The high availability concept becomes a key point in ADFS because once you are using SSO with Office 365, you rely on your local Active Directory for authentication.

To keep the highest HA factor, ADFS components should be installed in different virtual servers of the virtual infrastructure and in different hosts to prevent loss of service due to hardware failure.

 

Blog series

ADFS 3.0 setup UPN suffix for Office 365 SSO – pt. 1
ADFS 3.0 SSL certificate signing request – pt. 2
ADFS 3.0 install ADFS Server – pt. 3
ADFS 3.0 install WAP Server – pt. 4
ADFS 3.0 federating Office 365 – pt. 5
ADFS 3.0 install Directory Sync tool – pt. 6
ADFS 3.0 deploy Office 365 – pt. 7

 

Prerequisites

To run ADFS 3.0 enabling Single Sign-On feature for Office 365, three core components need to be configured:

  • ADFS Server
  • ADFS WAP Server
  • Directory Sync Server

 

Schema

The schema to setup the ADFS environment to enable SSO service is the following:

adfs30upnsuffix02

An improved design should include a load-balanced configuration in order to better distribute the load across the ADFS servers.

 

Setup UPN suffix

If the used internal LAN domain name doesn’t match the domain to federate with Office 365, a custom UPN suffix must be added in order to match the external name space.

Internal:  nolabnoparty.local
External:  nolabnoparty.com

Open Active Directory Domain and Trust snap-in, right click the item Active Directory Domain and Trust and select Properties option.

adfs30upnsuffix03

Type in the Alternative UPN suffixes field the domain name to match the external domain used to federate with Office 365 then click Add.

adfs30upnsuffix04

Click OK to save the configuration and close Active Directory Domain and Trust window.

adfs30upnsuffix05

The new UPN suffix must be assigned to the users in order to perform the authentication with federated domain.

Open Active Directory Users and Computers and select the users to configure. Right click the selection and choose Properties option.

adfs30upnsuffix06

Thick UPN suffix, select the correct domain name and click OK to save the configuration.

adfs30upnsuffix07

Looking at the user’s properties, the User logon name field is now set with the UPN suffix just configured.

adfs30upnsuffix08

The UPN suffix is set and both domains (internal and external) match.

Internal:  nolabnoparty.com
External:  nolabnoparty.com

Part 2 will cover the procedure to perform the SSL certificate signing request, one of the ADFS components required by Office 365 SSO.

firma