Home > Blogs > Horizon Tech Blog


VMware Identity Manager 2.8 – Office 365 User Provisioning and Federation

With VMware Identity Manager 2.8 we introduced support for User Provisioning in Office 365/Azure AD.. This blog post will walk you through the process of configure VMware Identity Manager to provide both Office 365 User Provisioning and Federation.

Prerequisites

  • Office 365 Premium test tenant (never perform test on a production tenant!)
  • VMware Identity Manager version 2.8 or later
  • Domain name activated in O365
  • objectGUID attribute must be mapped and synced

User Attributes

If objectGUID is not yet synced you need to add it under Identity & Access Management – Setup – User Attributes. userPrincipallName User Attribute should be marked as required as well.

Directory attribute mapping

In your Active Directory sync settings make sure objectGUID is mapped to objectGUID (by default it has no mapping).

Setting up User Provisioning

O365 domain

Verify your domain is registered to your O365 tenant. In above my domain myhorizondemo.com have status “Setup in progress”. This is simply because I did not apply required DNS changes for my domain. It is still correctly added though.

Later I will configure federation, when activating federation of your domain make sure your domain is not listed as the default domain in Office 365..

Launch PowerShell.

O365 authN

Run Connect-MsolService and login using your Office 365 admin account

PowerShell command

Create a Service Principal.

Run $sp = New-MSOLServicePrincipal –DisplayName ´<serviceprincipalName>´ –Type password – Value ´<strongpassword>´

In my example: UserName: ServPrinc1 with PW: Password1!

PowerShell command

Assign a role to the ServPrinc1 user.

Run Add-MsolRoleMember -RoleMemberType ServicePrincipalName -RoleName ´User Account Administrator´ -RoleMemberObjectId $sp.ObjectId

Run echo $sp

Copy the ServicePrincipalNames value without the { }

Application Catalog

In VMware Identity Manager add a new application. In the Admin console go to Catalog – Add Application – …from the cloud application catalog.

Make sure you add the Office365 with Provisioning application. There is other O365 apps listed in the online catalog but they do not support provisioning.

Application Parameters

Open newly added O365 application’s configuration. Scroll down to the bottom where you find the Application Parameters.

1. tenant = your Office365 registered domain
2. issuer = unique identifier. Can be anything if not used by someone else in O365. Typically, you can use the first part of your VMware Identity Manager’s FQDN, e.g. workspace.myhorizondemo. My FQDN is workspace.myhorizondemo.com but last .com cannot be a part of the issuer since O365 cannot handle to many . (dots) in the name.

Click Save to store your changes.

Connect to O365

Go to the O365 application – Provisioning

1. Do NOT enable Provisioning
2. Office 365 domain = Your O365 registered domain
3. Application Client ID = The ServicePrincipalNames value you copied previously.
4. Application Client Secret = The password specified when creating the ServicePrincipalNames. In my example Password1!.
5. Click Test Connection – Make sure test is successful.

Save

Click Save

(still do not enable provisioning)

Attributes

1. Click User Provisioning tab
2. You must map attributes, click on the pen to edit mappings. The three attributes with red * is required.
3. Mail Nickname and Guid are the only attributes that cannot be changed later.

3.1 Display Name = Attribute of your choice
3.2 Mail Nickname = username
3.3 Guid = objectGUID

Enable Provisioning

Go back to Configuration Tab. Enable Provisioning and Save.

Entitle users

Next, we need to entitle users to Office 365.

1. Click on Entitlement
2. Entitle a user and chose the Automatic deployment method so provisioning will happen immediately
3. Click Done

Refresh the page, you should see Ready to provision.

Provisioned

Wait for provisioning status to change to Provisioned.

O365 user created

Verify in O365 the user has successfully been provisioned.

Today the O365 provisioning in VMware Identity Manager 2.8 does not support license management. So, you must manually add a O365 license to the user.

Setting up federation

The Office 365 app in VMware Identity Manager is already configured to support Federation with the Application Parameter settings we specified in previous section..

O365 domain

First make sure the domain you want to federate is not the default domain in Office 365. In this example, I will federate the myhorizondemo.com domain.

Metadata

In VMware Identity Manager navigate to Catalog – Settings – SAML Metadata and click on the link “Identity Provider (IdP) metadata”.

Certificate

Make sure you copy the whole X509 Certificate. Simply double click on the line do not necessary mark everything.
Now you need to create two commands for use in PowerShell later. Make sure no line breaks are in the commands.

Here’s my two commands:

Set-MsolDomainAuthentication -DomainName myhorizondemo.com -Authentication federated -IssuerUri workspace.myhorizondemo -LogOffUri https://login.microsoftonline.com/logout.srf -PassiveLogOnUri https://workspace.myhorizondemo.com:443/SAAS/API/1.0/POST/sso -ActiveLogOnUri https://workspace.myhorizondemo.com:443/SAAS/auth/wsfed/active/logon

Set-MsolDomainFederationSettings -DomainName myhorizondemo.com -MetadataExchangeUri https://workspace.myhorizondemo.com:443/SAAS/auth/wsfed/services/mex -SigningCertificate MIIFFjCCAv6gAwIBAgIGANF1rBL9MA0GCSqGSIb3DQEBCwUAMEMxIDAeBgNVBAMMF1ZNd2FyZSBJZGVudGl0eSBNYW5hZ2VyMRIwEAYDVQQKDAlXT1JLU1BBQ0UxCzAJBgNVBAYTAlVTMB4XDTE2MDkyMTExMTQxMVoXDTI2MDkxOTExMTQxMVowQzEgMB4GA1UEAwwXVk13YXJlIElkZW50aXR5IE1hbmFnZXIxEjAQBgNVBAoMCVdPUktTUEFDRTELMAkGA1UEBhMCVVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC//peBNV1xHExDXkojoHrjvv9HLhUtbBk6eaGEz9GaLbxP6E89+BOv3Npjlegzpiez5HBkfvrpyGCpkprbJZx0BCyNCtQLN05AX5NGKyJ39Y/wD51JYFMOtiJOrX06+D5SqJyuKWunMhbR8bje/a11IseMe9xvzhMY5jMrOJKtjbHMevbop7XhFc/O20TgtFHuf5vdj8Ug69SbL6bX6ovhtldM/m8SCZGUZ2EFbF5j66raIbwQqyGUo7/K+7x8ZRNmz44/Oa08ajKullFP2+O+qCmr1nQqhT3N9t0hf+qYpSJuxieL/Lz2QFjIyJuy7FHn4gyJGCrtPmzKcDDcG4OJOl41P9Fbvtu4w6O@thepebxUZX4p/vNz0P/G7bqZKs5SgiZRLa569yf80rtaeb/k4LSCC3vfWs3rLMcx8FedI5RfPMKAg3DP3hHY92m5sBrMWhcybta3TZIAFDnwsSrSaaISpWWRfPnng12LXVgxbgwDIblNRX2VmfbM+I0TvGmPm8tX9ZSXqLIcTmqcP8078JeAyc4ESPS+Td/05JNJi2NOfn830SE90xtgpQZaKrKAyBHUbcAB9r8TyHgw0DmyuTMTd0xlWz3vCBDPGQDh9ds4+rti36kpOuLmJpAaDklED/q6rRn23P0JaPaAj+LdU1TRyMWKQKd1IpVQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA4InrNYmWr0JyF7Hy0ztLpGGr428dEmLNswK3qwUoN2AXhGmKCcPmk0uu3jaoDiqy9ESSG244IzCOIeoqJ7omctHZ7EdiFiBhfxg40rSyVs7eYMzuT7TXSEpR3ANzf/pqCpiYIONz1QOwHolN/=

Change text in red to represent your environment.

Here’s a template of the same thing:

TEMPLATE:
Set-MsolDomainAuthentication -DomainName < O365 registered Domain > -Authentication Federated -IssuerUri “<serviceportal.customer>” -FederationBrandName “<Customer.com>” -PassiveLogOnUri “https://< mycompany.vmwareidentity.com >/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://< mycompany.vmwareidentity.com >/SAAS/auth/wsfed/activelogon” -LogOffUri “https://login.microsoftonline.com/logout.srf”

Set-MsolDomainFederationSettings -DomainName < O365 registered Domain > -MetadataExchangeUri “https:// mycompany.vmwareidentity.com SAAS/auth/wsfed/services/mex” -SigningCertificate < X509Certificate >

 

The -IssuerUri “<serviceportal.customer>” = The unique identifier in O365. You can type what ever as long as this is reflected in O365 application paramters in VMware Identity Manager. Typically use the first part of your vIDM FQDN. E.g. workspace.myhorizondemo when my FQDN is workspace.myhorizondemo.com.

Once you’ve built the two commands go back to PowerShell. If you closed the session to O365 after previous provisioning configuration must you run Connect-MsolService and authenticate to O365 again.

PowerShell

First launch the first command:

Set-MsolDomainAuthentication -DomainName < O365 registered Domain > -Authentication Federated -IssuerUri “<serviceportal.customer>” -FederationBrandName “<Customer.com>” -PassiveLogOnUri “https://< mycompany.vmwareidentity.com >/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://< mycompany.vmwareidentity.com >/SAAS/auth/wsfed/activelogon” -LogOffUri “https://login.microsoftonline.com/logout.srf”

Then run Get-MsolDomainFederationSettings -DomainName < O365 registered Domain >. This command should return nothing. This means the domain is not yet federated which is good..

PowerShell

Next run:

Set-MsolDomainFederationSettings -DomainName < O365 registered Domain > -MetadataExchangeUri “https:// mycompany.vmwareidentity.com SAAS/auth/wsfed/services/mex” -SigningCertificate < X509Certificate >

Run Get-MsolDomainFederationSettings –DomainName <Your O365 registered Domain>. The reply should show the domain is now federated.

Now it is time to test:
Let’s start with idP-init workflow.

VMware Identity Manager AuthN

Start by accessing VMware Identity Manager and authenticate as a provisioned and entitled O365 user.

Portal

Click on the Office365 Application Icon..

Office 365

You should get Single-Signed On into O365.

Next let’s try the SP-Init workflow.
Make sure you are logged out from O365 and vIDM.

O365 SP-Init

SP-init means you start on O365.. Go to https://login.microsoftonline.com
Enter your testusers email address and hit Tab.. This will initiate tenant discovery in O365 and you will be connected to the correct tenant, and thereby correct idP.

VMware Identity Manager AuthN

You should get redirected to VMware Identity Manager. Authenticate..

Office 365

You should get redirected back to O365.

This entry was posted in General and Misc on by .
Peter Bjork

About Peter Bjork

Peter Bjork is a Senior Staff Architect, Technical Marketing at VMware. He specializes in Identity and Access Management. He's widely appreciated as a speaker at events like VMworld, VMUG and vFORUM. He is the author of two books as well as numerous white papers and blog posts. When the work day is over, Peter volunteers as a Scout leader for the local Sea Scout troop outside Stockholm, Sweden. Twitter: @thepeb.