RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Similar documents
RSA SecurID Access SAML Configuration for Microsoft Office 365

DigitalPersona. SSO for Office 365. On Premise DigitalPersona SSO for Office 365. Solution Deployment Guide

VMware Identity Manager Integration with Office 365

VMware Identity Manager Integration with Office 365

Cloud Secure. Microsoft Office 365. Configuration Guide. Product Release Document Revisions Published Date

Cloud Access Manager How to Configure Microsoft Office 365


ComponentSpace SAML v2.0 Office 365 Integration Guide

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMware Identity Manager Administration

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Developer s Guide to Azure RemoteApp Hybrid Collection Deployment

Microsoft Dynamics AX 2012 Installation Guide

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Office 365 Administration and Troubleshooting

20347: Enabling and Managing Office hours

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Enabling and Managing Office 365 (NI152) 40 Hours MOC 20347A

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Enabling and Managing Office 365

Conditional Access Policies

Integrating AirWatch and VMware Identity Manager

[MS20347]: Enabling and Managing Office 365

Office 365 and Azure Active Directory Identities In-depth

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Office : Enabling and Managing Office 365. Upcoming Dates. Course Description. Course Outline

Enabling and Managing Office 365

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Installing Active Directory on a Windows 2012 Server

Colligo Console. Administrator Guide

Office 365 Business and Office 365 Pro Plus Deployment Guide V 1.0

Enabling and Managing Office 365

Education and Support for SharePoint, Office 365 and Azure

ENABLING AND MANAGING OFFICE 365

Course CLD209.1x Microsoft Exchange Server 2016 Hybrid Topologies

Microsoft Enabling and Managing Office 365

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Securing Office 365 with Okta

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

Office 365 Administration and Troubleshooting

SafeNet Authentication Client

Assess Remediate Enable Migrate

10997: Office 365 Administration and Troubleshooting

2016 Braindump2go Valid Microsoft Exam Preparation Materials:

ENABLING AND MANAGING OFFICE 365

Vendor: Microsoft. Exam Code: Exam Name: Managing Office 365 Identities and Requirements. Version: Demo

Office 365 Administration and Troubleshooting

Office 365 for IT Pros

Student Lab Manual MS100.1x: Office 365 Management

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

20347: Enabling and Managing Office 365

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

Configuring the BIG-IP APM as a SAML 2.0 Identity Provider for Microsoft Office 365

INSTALLATION GUIDE Spring 2017

Course 10997A: Office 365 Administration and Troubleshooting

Microsoft Official Curriculum Enabling and Managing Office 365 (5 Days - English) Programme détaillé

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

AAD Connect setup guide

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Migrating vrealize Automation 6.2 to 7.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Configuring ADFS for Academic Works

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

AutomaTech Application Note July 2015

/

VMware AirWatch Integration with SecureAuth PKI Guide

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Configuration Guide. BlackBerry UEM Cloud

Cloud Secure Integration with ADFS. Deployment Guide

Chime for Lync High Availability Setup

MCSA Office 365 Bootcamp

MB Microsoft Dynamics CRM 2016 Online Deployment.

At Course Completion After completing this course, students will be able to:

MB2-715.exam. Microsoft MB Microsoft Dynamics 365 customer engagement Online Deployment. Version 1.

SAML-Based SSO Configuration

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Step 4 - Choose Your Deployment

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Enabling and Managing Office 365

AirWatch Mobile Device Management

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Directory Integration with VMware Identity Manager

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Cloud Access Manager Configuration Guide

VMware AirWatch Integration with RSA PKI Guide

VMware Identity Manager Administration

Centrify for Dropbox Deployment Guide

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Introduction to application management

Setup Guide for AD FS 3.0 on the Apprenda Platform

Integrate Microsoft Office 365. EventTracker v8.x and above

AD Sync Client Install Guide. Contents

Transcription:

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service) Last Modified: April 17, 2017 RSA SecurID Access offers two methods to integrate with Microsoft Office 365. Both solutions integrate with your organization s Microsoft Azure AD to provide your users with a more consistent sign-in experience. Configuring either the Microsoft Office 365 or Microsoft Office 365 STS connectors provide for single sign-on (SSO) enabled users to use their Active Directory corporate credentials to access their services in the cloud and their existing on-premises resources. For guidelines to help determine which connector to use for the Office 365 applications in your deployment, see the topic Microsoft Office 365 - RSA SecurID Access Application Connector Overview on RSA Link. Complete the following procedure to configure the Microsoft Office 365 STS connector. Before You Begin Acquire an administrator account to both RSA SecurID Access and Office 365 Enterprise. Acquire a public trusted SSL certificate. Self-signed SSL certificates are not supported. Note: Refer to Microsoft s guides: http://technet.microsoft.com/en-us/library/hh373144.aspx https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ http://www.microsoft.com/en-us/download/details.aspx?id=39366 http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplusmodern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx https://support.microsoft.com/en-au/help/2913639/office-applications-periodically-prompt-forcredentials-to-sharepoint-online,-onedrive,-and-lync-online Enable your tenant for Modern Authentication (ADAL) 1. Use PowerShell to enable your Exchange Online service for modern authentication as described here and Skype for Business Online as described here. SharePoint Online is already enabled. 2. Enable any Office 2013 users to use modern authentication if step-up policy is to be enforced as described here. Overview of steps 1. Configure Office 365 with a federated domain. 2. Setup Active Directory (AD). 3. Setup directory synchronization.(components: Microsoft Online Services, Window Azure Active Directory Module for Window PowerShell, Azure AD Connect, Skype for Business Online Windows Power Shell Module) 4. Configure RSA SecurID Access Microsoft Office 365 STS connector. 5. Configure federation partnership using PowerShell. 6. Download Microsoft Office rich clients on your desktop. 1 Copyright 2017 EMC Corporation. All Rights Reserved.

Configure Office 365 with a federated domain 1. Login into the Office 365 portal using an enterprise admin account. https://portal.office.com 2. Select the Admin app. 3. From the left hand menu select Settings > Domains. 4. Select Add a domain. Note: Access to domain registrar is required to set the TXT flag in the host file to allow Microsoft to validate the domain. 2 Copyright 2017 EMC Corporation. All Rights Reserved.

5. Verify that the required DNS records have been added to your DNS server. 6. Select Verify. 3 Copyright 2017 EMC Corporation. All Rights Reserved.

Setup Active Directory If your AD is already installed proceed to page 5. Install Active Directory 1. Open the Server Manager from the task bar. 2. From the Server Manager Dashboard, select Add roles and features. This will launch the Roles and Features Wizard. 3. Select Role-based or features-based installation from the Installation Type screen and click Next. 4. The current server is selected by default. Click Next to proceed to the Server Roles tab. 5. From the Server Roles page, place a check mark in the check box next to Active Directory Domain Services. A notice will appear explaining additional roles services or features are also required to install domain services, click Add Features. 6. Review and select optional features to install during the AD DS installation by placing a check in the box next to any desired features, and then click Next. 7. Review the information on the AD DS screen and click Next. 8. On the Confirmation screen, review the installation and then click Install. Start Remote Registry Service Before promoting the server to domain controller, the remote registry service must be started. 1. Click Start > Control Panel. 2. Under Services, right-click Remote Registry and open the Properties menu. 3. From the *Startup type:** drop-down menu, select Automatic. 4. Under Service Status, select Start. The remote registry service will start. 4 Copyright 2017 EMC Corporation. All Rights Reserved.

Configure Active Directory Once the AD DS role is installed the server will need to be configured for your domain. 1. If you have not done so already, open the Server Manager from the task bar. 2. Open the Notifications Pane by selecting the Notifications icon from the top of the Server Manager. From the notification regarding configuring AD DS, click Promote this server to a domain controller. 3. From the Deployment Configuration tab select Add a new forest from the radial options menu. 4. Insert your root domain name into the Root domain name field, and then click Next. The domain name should match the domain name added to Office 365. 5 Copyright 2017 EMC Corporation. All Rights Reserved.

5. Select a Domain and Forest functional level, and then input a password for the Directory Services Restore Mode (DSRM) in the provided password fields. 6. Review the warning on the DNS Options tab and select Next. 7. Confirm or enter a NetBIOS name and click Next. 8. Specify the location of the Database, Log files, and SYSVOL folders and then click Next. 9. Review the configuration options and click Next. 10. The system checks to ensure all necessary prerequisites are installed on the system prior to moving forward. If the system passes these checks, proceed by clicking Install. Setup Directory Synchronization 1. On a domain join server other than your Domain Controller install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. You will need to restart your server. 2. Next, install the appropriate version of the WindowsAzure Active Directory Module for Windows PowerShell. 3. Click Next and Finish. 6 Copyright 2017 EMC Corporation. All Rights Reserved.

4. Now, install Azure AD Connect. (successor to DirSync tool) https://www.microsoft.com/en-us/download/details.aspx?id=47594 5. During the install leave the optional configuration section unchecked or select what is appropriate for your environment. 6. On the User sign-in screen, select your users single sign-on method. For a full description of the sign-in methods, see User sign-in. 7 Copyright 2017 EMC Corporation. All Rights Reserved.

7. On the Connect to Azure AD screen, enter a global admin account and password. 8. On the Connect Directories enter your credentials to connect to your Active Directory Domain Service. Azure AD Connect needs the credentials of an account with sufficient permissions. 8 Copyright 2017 EMC Corporation. All Rights Reserved.

Enter the domain part in either NetBios or FQDN format, i.e. FABRIKAM\syncuser or fabrikam.com\syncuser. 9. Configure the attribute to use for the userprincipalname. 9 Copyright 2017 EMC Corporation. All Rights Reserved.

10. On the Domain/OU Filtering screen, you can select to sync all OUs to Azure AD, or unselect all and select specific OUs. 11. Uniquely identifying users allows you to define how users from your AD DS forests are represented in Azure AD. A user might either be represented only once across all forests or have a combination of enabled and disabled accounts. The user might also be represented as a contact in some forests. Note: SOURCE ANCHOR - The attribute sourceanchor is an attribute that is immutable during the lifetime of a user object. It is the primary key linking the on-premises user with the user in Azure AD. Since the attribute cannot be changed, you must plan for a good attribute to use. A good candidate is objectguid. This attribute is not changed, unless the user account is moved between domains. 10 Copyright 2017 EMC Corporation. All Rights Reserved.

12. The filtering on groups feature allows you to sync only a small subset of objects for a pilot. Warning: This feature is only intended to support a pilot deployment. Do not use it in a full-blown production deployment. 13. Select Next on the Optional Features page 11 Copyright 2017 EMC Corporation. All Rights Reserved.

14. Select Next on the Azure AD apps page. 15. Select Next on the Azure AD attributes page. 12 Copyright 2017 EMC Corporation. All Rights Reserved.

16. Select samaccountname, UserPrincipalName, ObjectGUID(user), ObjectGUID(group), mail and displayname to be synced. 17. Select Next. 13 Copyright 2017 EMC Corporation. All Rights Reserved.

18. Verify your federation configuration and select Verify. 14 Copyright 2017 EMC Corporation. All Rights Reserved.

Configure RSA SecurID Access for Microsoft Office 365 STS Note: Only 1 instance of the Office 365 STS connector can be configured in your tenant. Add an Identity Source In order to use any clients that use the active endpoint, such as mail clients that use the ActiveSync protocol, or other clients that simply use a username & password, then an Identity Source that uses the mail attribute as the User Tag is required. 1. In the RSA SecurID Access Administration Console, click User > Identity Sources. 2. Select Add an Identity Source or select Edit to view an existing Identity Source. 3. On the Identity Source Details page under Connection Settings, verify the value of usertag field. If the usertag field is set to samaccountname, then add a second Identity source with duplicate AD details but the usertag field set to mail(this configuration step is needed if you need users to login via Microsoft office rich clients). 4. Click Next Step. 15 Copyright 2017 EMC Corporation. All Rights Reserved.

5. On the User Attributes page, select the Policies and Apps checkboxes for attributes objectguid and userprincipalname. 6. Click Next Step. 7. Verify the Additional Authentication settings and click Next Step. 8. Click Save and Finish. 16 Copyright 2017 EMC Corporation. All Rights Reserved.

Add the Application 1. From the top tabs, select Applications > Application Catalog. 2. Search the list and select +Add next to Microsoft Office 365 STS. 3. On the Basic Information page, specify the application name and click Next Step. 17 Copyright 2017 EMC Corporation. All Rights Reserved.

4. On the Connection Profile screen take note of the WS-Federation Identity Provider settings. 5. Scroll down to the WS-Federation Response Signature section and upload your private key and public certificate. This should not be a self-signed certificate. 18 Copyright 2017 EMC Corporation. All Rights Reserved.

6. Scroll down to the Claims section. 7. Verify the Claim Name Immutable ID is mapped to objectguid and UPN is mapped to userprincipalname. Use the Identity Source pulldown and select the correct AD. If you configured two AD to support both User Tag formats then add the claim options for both AD sources. This would give you a total of 4 claims. 8. Click Next Step. 9. On the User Access page, select the desired user policy from the drop down list. Note: Refer to page 26 for more policies details. 10. Click Next Step. 19 Copyright 2017 EMC Corporation. All Rights Reserved.

11. On the Portal Display page, select Display in Portal. 12. Click Save and Finish. 13. Click Publish Changes. Configure federation partnership using PowerShell 1. Install the latest version of Azure PowerShell on your AD. https://docs.microsoft.com/en-us/powershell/azureps-cmdlets-docs/ 2. Launch Windows Azure Active Directory Module for Windows PowerShell. 3. Right click and Run As Administrator. 4. Set the credential variable $cred=get-credential. 5. Connect to Microsoft Online Services with the credential variable set previously Connect-MsolService Credential $cred 6. Using PowerShell to convert the standard domain to a federated domain. Convert-MsolDomainToFederated -DomainName singlepoint08.com 7. Use the command Get-MsolDomainFederationSettings or Get-MsolDomainAuthentication command to view the federated attributes. 20 Copyright 2017 EMC Corporation. All Rights Reserved.

8. First obtain the cert.pem file you used to configure the RSA SecurID Access connector. From this file you will create $certdata, by following the 2 step procedure below. Step 1: $cert =New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\saml.crt") where, c:\temp\saml.crt is the path to the RSA SecurID Access certificate. Step 2: $certdata = [system.convert]::tobase64string($cert.rawdata) 9. Next, set your federated variables to the values found on page 24. $ActiveLogOnUri = https://portal.singlepoint08.com/trust/10/singlepoint08.com/stsservicetransportut $IssuerUri = http://portal.singlepoint08.com/ $LogOffUri = https://portal.singlepoint08.com/logoutservlet $PassiveLogOnUri = https://portal.singlepoint08.com/federation $MetadataExchangeUri = https://portal.singlepoint08.com/metadata/5z3qvc6m0r3c/federationmetadata/2007-06/federationmetadata.xml 10. Configure your federation settings. Set-MsolDomainAuthentication -DomainName singlepoint08.com Authentication Federated -ActiveLogOnUri $ActiveLogOnUri IssuerUri $IssuerUri LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $certdata Or Set-MsolDomainFederationSettings -DomainName singlepoint08.com -ActiveLogOnUri $ActiveLogOnUri IssuerUri $IssuerUri LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $certdata 21 Copyright 2017 EMC Corporation. All Rights Reserved.

11. Verify your setting. Get-MsolDomainFederationSettings -DomainName singlepoint08.com fl * Note: To set the domain back to standard run the command: Set-MsolDomainAuthentication-DomainName domain Authentication Managed or Convert-MsolDomainTo Standard -DomainName 22 Copyright 2017 EMC Corporation. All Rights Reserved.

Known Issues and Workarounds Rich Clients and Step up Applications, such as the ios and Android mail apps that connect to Microsoft resources using the ActiveSync protocol and rich clients with ADAL disabled will not support step up. This will prevent end users from logging in to clients when a policy is configured to require additional authentication. Resolution: Administrators can configure policies based on the user agent header to identify whether the request is from a rich client which does not support additional authentication, or from one that does, and allow access/deny access based on their requirement. Create a new policy under Access > Policies and apply the policy to the Microsoft O365 STS application. o If User Agent Contains "MSOIDCRL", then specify an action ie., Allow/Deny (Applicable for Word, Excel, PowerPoint, Skype, non active sync clients) o If User Agent is NULL, then specify an action ( Applicable for Outlook, Active sync clients ) Note: Contact RSA support for additional Rich Client header options. 23 Copyright 2017 EMC Corporation. All Rights Reserved.

Office 2013 Rich Clients not prompting for credentials A domain-joined user using a rich client will initially login, but if the user signs out of the rich client, they won t get prompt to sign-in. Resolution: Add a new DWORD value to the registry NoDomainUser and set the value to 1. For full details refer to Microsoft link https://support.microsoft.com/en-au/help/2913639/office-applications-periodically-prompt-forcredentials-to-sharepoint-online,-onedrive,-and-lync-online How to get re-prompt for Outlook Password on a Mac Removing the keychain entries for your configured e-mail accounts, and have Outlook recreate them. 1. Quit Outlook before going into the Keychain. 2. Open the Keychain Access utility (in the Applications > Utilities folder). 3. Select the login keychain. 4. Search for the e-mail service (ie, the server name) of the account you have configured in Outlook. 5. Select the displayed keychain entry, and press the Delete key to remove it. 6. Then LogOut or restart your Mac. 24 Copyright 2017 EMC Corporation. All Rights Reserved. GLS

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback