Microsoft Office 365

The runbook describes how to configure a federation partnership to achieve single sign-on between stmndr 12.52 SP1 that acts as the Identity Provider (IdP), and Microsoft Office 365 that acts as the Resource Partner (RP).
casso1283
The runbook describes how to configure a federation partnership to achieve single sign-on between 
CA Single Sign-on
 12.52 SP1 that acts as the Identity Provider (IdP), and Microsoft Office 365 that acts as the Resource Partner (RP).
The runbook is valid for 
CA Single Sign-on
 Release 12.52 SP1 and later versions.
2
Scope
Supported Protocols and Profiles
The following protocol and profiles support the federation partnership between
CA Single Sign-on
and Microsoft Office 365:
WS-Federation Protocol
  • Passive Profile:
    WS-Federation Passive Profile enables the single sign-on between the passive requestors and Microsoft Office 365. Passive requestors are primarily the web browsers, or browser-based applications that supports HTTP.
    • Office 365 Portal
    • Exchange Online (Outlook)
  • Active Profile:
    Use the WS-Federation Profile to support Microsoft Office 365 rich clients. An IdP side Security Token Service (STS) implementation is required for the WS-Federation Active Profile. This profile enables single sign-on between SOAP-enabled desktop clients and the following Microsoft Office 365 services:
    • Microsoft Office rich client
    • Email rich client (Outlook)
    For the Active Requestor Profile clients to work in the Passive Requestor Profile mode for single sign-on, enable Modern Authentication (ADAL) on the Microsoft Office tenant and clients. For information, see the Microsoft documentation.
Note
:
  • As the passive requestor profile is used when ADAL is configured, STS configuration in CA Access Gateway is not required. 
  • CA Single Sign-on
    does not support SAML 2.0 protocol.
Target Services
The federation has been tested on the following services of Microsoft Office 365:
  • Exchange Online
  • Skype for Business Online (formerly called as Lync)
  • Microsoft Sharepoint Online
  • Microsoft Office Online
  • Microsoft Office 365 ProPlus
Supported Clients
Information in this section is applicable to the browser-based portals, rich clients, and mobile clients related to Microsoft Office.
Authentication Schemes
The configuration process in this section uses the following authentication schemes:
  • Basic authentication
  • Forms authentication
  • Windows authentication 
Federation Partnership Process
Perform the following steps to create a federated single sign-on partnership between
CA Single Sign-on
(IP) and Microsoft Office 365 (RP):
  1. Verify the prerequisites
  2. Configure Microsoft Office 365 as the Resource Partner.
    Ensure that the Microsoft Office 365 tenancy is pre-configured. For more information on configuring the tenant, see Microsoft documentation. 
  3. Configure
    CA Single Sign-on
     as the Identity Provider 
  4. Test the federated single sign-on.
Prerequisites
Prepare
CA Single Sign-on
 and
CA Access Gateway
 (Formerly CA SiteMinder Secure Proxy Server)
  1. Install and configure 
    CA Single Sign-on
     suite including
    CA Access Gateway
     12.52 SP1 or later.
    Use  
    CA Single Sign-on
    12.52 SP1 CR4 or later to support IWA authentication for rich clients. 
    Note
    : If you are using Active Requestor Profile, you must use
    CA Access Gateway
     as the agent. If you are using Passive Requestor Profile, you can use either
    CA Access Gateway
     or Web Agent + Web Agent Option Pack as an agent. This runbook uses
    CA Access Gateway
     as the agent for both the profiles.
  2. Obtain a signed certificate issued by a well-known Certificate Authority such as VeriSign, Entrust, Thawte, or Go Daddy for Identity Provider Digital Signature.
    Microsoft Office Online requires a verifiable DNS ownership of the tenant domain and verifiable singing certificate for federated single sign-on. Microsoft does not support self-signed certificates for Outlook and Lync clients. 
  3. Protect the Authentication URL to ensure that a user requesting a protected federated resource is authenticated using the configured authentication scheme.
  4. Protect the Identity Provider Authentication URL with a policy by creating the following objects:
    • AuthSchemes
    • Domain Realm
    • Rule
    • Policy
  5. If you want to use SLO, the Authentication URL must be protected with persistent sessions.
  6. Enable Session Store on Policy Server for SLO functionality.
  7. Enable SSL on CA Access Gateway.
  8. Test that the federation support is enabled on CA Access Gateway. After restarting CA Access Gateway, type the following URL in the browser and verify that the Assertion Re-trieval Service has been successfully initialized message is displayed:
     The following message appears:
    Assertion retrieval successful message
Configure Active Profile
To configure Active Profile, perform the following additional steps:
  1. Protect the CA Access Gateway Administrative UI.
    1. Log in to the 
      CA Single Sign-on
       Administrative UI.
    2. Navigate to the domain that was registered during the CA Access Gateway configuration in the following format:
      [DOMAIN-SPSADMINUI-{agentname}]
      Example: DOMAIN-SPSADMINUI-spsagent 
    3. Add User Directory and Policy to the registered domain.
  2. Log in to the CA Access Gateway Administrative UI and create a STS instance. Note down the STS name and use the same name for the partnership when you create it.
  3. To support IWA authentication scheme, perform the following steps:
    1. Open the CA Access Gateway Administrative UI, navigate to Web Services, and Secure Token Service.
Windows
Configure the Encryption Key parameter in the STS IWA Configuration and save the changes. 
STS IWA Configuration
UNIX
  1. Create a keytab file by performing the following steps:
      1. Log in to the Active Directory domain controller machine using the domain administrator credentials.
      2. Create a user in the Active Directory and set the password.
      3. Run the following command from the command prompt to create a keytab file using the ktpass utility:
        ktpass -out <keytab file path> -princ HTTP/<AccessGateway host name>.<Office 365 domain name>@<Office 365 domain name> -ptype KRB5_NT_PRINCIPAL -mapuser <UPN of user> -pass <password>
        keytab file path:
        Indicates the keytab file and the path where the generated keytab file is saved.
        AccessGateway host name: 
        Indicates the fully qualified host name of the CA Access Gateway server.
        Office 365 domain name:
         Defines the domain name of Microsoft Office 365.
        UPN of user:
         Defines the UPN of the user created in the Step ii.
        Password
        : Defines the password of the user created in the Step 2.
        Example:
        ktpass -out <keytab file path>  -princ HTTP/<AccessGateway host name>.<Office 365 domain name>@<Office 365 domain name> -ptype KRB5_NT_PRINCIPAL -mapuser <UPN of user>  -pass <password> 
      4. Copy the generated keytab file to the CA Access Gateway system, and note the path.
  2. Configure the CA Access Gateway Administrative UI.
    1. Open the CA Access Gateway Administrative UI, navigate to Web Services, and Security Token Service.
    2. Configure the following fields in the STS IWA Configuration section:
      KDC Address: 
      Defines the fully qualified domain name and port of the KDC.
      Kerberos Realm: 
      Defines domain name of the KDC machine.
      Keytab: 
      Defines the path to the Keytab file that you generated.
      Principal: 
      Defines the Service Principal Name (SPN) value that a client uses to uniquely identify a service instance. Example, HTTP/casso-sps.caofficedemos.com
      Where,
      HTTP: 
      Indicates the service name.
      casso-sps.caofficedemos.com
      : Indicates the CA Access Gateway fully qualified host name.
      Configure STS IWA Configuration
    3. Click Save.
    4. Verify that STS is working by performing one of the following steps:
      • Review the STS log file available in the following location:
        secure-proxy_install_dir
        /proxy-engine/logs/partnership_name.log
      • Access the following URL in the Chrome browser:
https://{caaccessgateway-domainName}/{CA-Single Sign-On-PartnershipName}/ws-username
The following message is displayed:
WS Trust.png
Restart the CA Access Gateway to reflect the changes that are made to the partnership after creating the STS.
Prepare Microsoft Office 365
  1. Microsoft Office 365 Enterprise Account
    - Register and obtain a Microsoft Office 365 tenant. You must register to the plan that supports single sign-on.
  2. Domain name
    - Register a domain with your Domain Name Service provider (for example: GoDaddy.com).
  3. Install Active Directory (AD). Registered Domain and Active Directory domain must be the same to synchronize the Active Directory users to Microsoft Office 365, and must have a common identity that helps users log in to both in the cloud and in on-premises.
  4. Install the Windows Azure Active Directory Module on a system that is part of your on-premise Active Directory domain. For more information, refer to: http://aka.ms/aadposh. For information about Online Services Sign in Assistant: http://go.microsoft.com/fwlink/?LinkId=286152
  5. Download and install Microsoft Office desktop client application.  
Configure Microsoft Office 365 as Resource Partner
Directory Synchronization
Synchronize all the user accounts stored in on-premise Active Directory having access to Microsoft Office 365 online to Microsoft Office 365 Azure Active Directory on the cloud. The supported synchronization methods are:
  • Microsoft Azure Active Directory Connect tool:
    Use the Microsoft Azure Active Directory (AAD) Sync Services to synchronize the user accounts. This tool requires a host connected to the Active Directory. Download this one-way synchronization tool from the administration portal. Passwords need not be synchronized.
  • Manual synchronization: 
    Use Windows Azure AD Module for Windows PowerShell. This method is adequate for testing single sign-on.
  • CA Identity Manager Connector for Microsoft Office 365: 
    CA provides an Identity Minder connector for Microsoft Office 365 for user synchronization. This method works well when user accounts are stored in Active Directory, CA Directory, LDAP, or RDBMS. 
Activate Directory Synchronization
Activate the Microsoft Office 365 domain to synchronize on-premises Active Directory to add users to Microsoft Office 365. Follow these steps:
  1. Log in to the Microsoft portal online using the enterprise admin account.
  2. Select Users and Active users.
  3. Select Set up link against Active Directory Synchronization.
    Active Directory sync set up.png
  4. Select the third option, and click Activate.
    Office 365 Directory synchronization
  5. Confirm the activation. 
    Activate the Active Directory synchronization
 The following message is displayed on successful activation:
ADS Activated.png
Synchronize Using Microsoft Azure AD Connect Tool
  1. Download and Install MicrosoftAzureADConnectionTool from the Microsoft website. See Microsoft documentation.
  2. From the Start menu, select Directory Sync Tool and launch Microsoft Azure Active Directory Sync Services.
  3. Provide Microsoft Office 365 admin login credentials and click Next.
    Enter your Azure AD credentials
  4. Provide Forest name and Active Directory Admin Credentials and click Add Forest.
    Connect to AD DS
  5. Click Next. 
  6. Select sAMAccountName as the sourceAnchor attribute and click Next.
    By default, objectGUID is selected as sourceAnchor attribute. sourceAnchor Attribute is used to establish ImmutableID for the user between the two Active Directory Instances (On premise and Azure AD).
    Uniquely identifying your users
  7. To understand the requirements and the impact of the selected attribute, refer to the Microsoft blogs.
    Finished
  8. Click Next until you finish the wizard.
    All the users in the Active Directory are synchronized to Microsoft Office 365 Azure AD on cloud.
Manual Directory Synchronization
This section describes how to copy an Active Directory user to Microsoft Office 365. 
Open the Windows Azure Active Directory Module for Windows PowerShell on the Active Directory machine and run the following commands. Provide your own values for UPN and Location.
Syntax
 
ImportSystemModules
$cred=Get-Credential
Enter the admin credentials to connect to Microsoft Office 365
Connect-MsolService -Credential $cred
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
$User=Get-ADUser -f{userPrincipalName -eq "[upn]"}
$ImmutableID=$User.sAMAccountName
If you are using objectGUID as immutableID, run the following command:
$ImmutableID = [System.Convert]::ToBase64String($User.objectGUID.ToByteArray()) New-MsolUser
-UserPrincipalName $User.userPrincipalName -immutableID $ImmutableID -LastName $User.surname
-FirstName $User.givenName -DisplayName <string> -UsageLocation [location] 
UPN
Login name of the user. For example, [email protected]
Location
Two letter country code of the user. For example, "US"
Run the following commands to get the User information from Microsoft Office365:
Get-MsolUser -UserPrincipalName [email protected] | fl * 
Activate Synchronized User
To activate synchronized users from Active Directory, follow these steps:
  1. Log in to the Microsoft portal online using the enterprise admin account.
  2. Click Users and select Active user.
  3. Select the user and click Activate synced users.
    Activate users
  4. In Assign License page, Select services for the selected user and click Activate.
    User can log in only to the selected services.
    Activate the assigned licenses
  5. Provide the email address to receive the credentials information and click Finish.
    Provide email address
Set Up Federation Domain on a Microsoft Office 365 Tenant
  1. Convert Microsoft Office 365 managed domain to a federated domain for single sign-on and change the Microsoft Office 365 parameters. Ensure that the domain is registered in the Microsoft Office 365 tenant.
  2. Launch the Windows Azure Active Directory Module for Windows PowerShell on the Active Directory machine as an Administrator and run the following commands:
    ImportSystemModules
    $cred=Get-Credential
  3. Enter the admin credentials to connect to Microsoft Office 365.
    Connect-MsolService -Credential $cred 
  4. Run the following command to set the Domain Authentication as Federated:
    Set-MsolDomainAuthentication -Authentication Federated -DomainName <domain name>
    -FederationBrandName <any name> -IssuerUri <Identity provider URI>
    -LogOffUri <Identity provider Logoff URI> -PassiveLogOnUri <Identity provider Passive logon URI> -ActiveLogOnUri <Identity Provider Active logon URI>
    -MetadataExchangeUri <Identity Provider Metadata exchange URI>
    -PreferredAuthenticationProtocol <Authentication Protocol>
    -SigningCertificate <IDP Signing certificate>
    Example:
    Set-MsolDomainAuthentication -Authentication Federated -DomainName caofficedemos.com
    -FederationBrandName caofficedemos.com -IssuerUri https://casso-sps.caofficedemos.com
    -LogOffUri https://casso-sps.caofficedemos.com/affwebservices/public/wsfeddispatcher
    -PassiveLogOnUri https://casso-sps.caofficedemos.com/affwebservices/public/wsfeddispatcher
    -ActiveLogOnUri https://casso-sps.caofficedemos.com/PartnershipName/ws-username
    -MetadataExchangeUri https://casso-sps.caofficedemos.com/PartnershipName/mex
    -PreferredAuthenticationProtocol WsFed
    -SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="
  5. Run the following command to update the federated domain parameters after the authentication method is set to Federated: 
    Set-MsolDomainFederationSettings -DomainName<domain name> -FederationBrandName<any name>
    -IssuerUri <Identity provider URI>
    -LogOffUri <Identity provider Logoff URI> -ActiveLogOnUri<Identity Provider Active LogOnURI>
    -PassiveLogOnUri <Identity provider Passive logon URI> -MetadataExchangeUri <Identity provider Metadata Exchange URI>
    -SigningCertificate <IDP Signing certificate>
    Example
    Set-MsolDomainFederationSettings -DomainName caofficedemos.com -FederationBrandName caofficedemos.com
    -IssuerUri https://casso-sps.caofficedemos.com -LogOffUri https://casso-sps.caofficedemos.com/affwebservices/public/wsfeddispatcher
    -ActiveLogOnUri https://casso-sps.caofficedemos.com/SamplePartnership-Office365/ws-username
    -PassiveLogOnUri https://casso-sps.caofficedemos.com/affwebservices/public/wsfeddispatcher
    -MetadataExchangeUri https://casso-sps.caofficedemos.com/SamplePartnership-Office365/mex -SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="
  6. Run the following command to get the configured Federated Domain settings: 
    Get-MsolDomainFederationSettings -DomainName caofficedemos.com | Format-List * 
Enable Modern Authentication for Office 2013
By default, modern authentication (ADAL) is enabled for Microsoft Office 2016. To enable modern authentication (ADAL) for Office 2013, perform the following steps:
  1. Add the following registry keys with the REG_DWORD as the Type :
    HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
    HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
  2. Set their value to 1.
For more information, see Microsoft Documentation.
Configure CA Single Sign-On as Identity Provider Using WS-Federation 
This section describes the process of setting up required entities and partnership configuration to establish federated single sign-on between
CA Single Sign-on
instance and Microsoft Office 365 tenant.
Configure Identity Provider and Service Provider Entities
To create Entities, log in to 
CA Single Sign-on
and navigate to Federation. Select Partnership Federation, Entities, and Create Entity.
Create Local Entity
Configure the Local Identity Provider Entity with the following details and click Finish:
  • Entity Location:
     Local
  • Entity Type:
     WSFED Identity Provider
  • SAML Token Type:
     SAML 1.1
  • Entity ID
     : Any
    Example: https://casso-sps.caofficedemos.com
  • Entity Name:
     Any
    Example: SampleEntity-IDP
  • Base URL:
     https://<FWS_FQDN>  
    FWS_FQDN is the fully qualified domain name for the host serving single sign-on Federation Web Services
    Example: https://casso-sps.caofficedemos.com
  • Disambiguation ID:
     Unique identifier for the partnership. For example: samlsso.
    Set this ID only when there are multiple partnerships between the same IP and RP. 
  • Signing Private Key Alias
     – Select the correct private key alias or import one.
    Example: catech
  • Supported Name ID format
    – Unspecified
Select Entity Type: Local or Remote
Create local entity2.png
Create Remote Identity
To configure Remote SP Entity manually, select Create Entity.
Create Remote Entity
Create Microsoft Office 365 Remote Entity with the following details and click Finish:
  • Entity Location: 
    Remote
  • New Entity Type: 
    WSFED Resource Provider
  • SAML Token Type: 
    SAML 1.1
  • Entity ID: 
    urn:federation:MicrosoftOnline
  • Entity Name: 
    Any
    Example: Microsoft Office365
  • Description:
     Any
    Example: WSFED RP for Microsoft Office 365
  • Remote Security Token Consumer Service URL:
    https://login.microsoftonline.com/login.srf
  • Remote Sign-Out URL:
    https://login.microsoftonline.com/login.srf 
  • Supported Name ID Formats:
     Unspecified
  • Click Finish
Remote entity creation.png
Configure the Partnership 
Configure the federation partnership between 
CA Single Sign-on
 and Microsoft Office 365.
Follow these steps:
  1. Navigate to Federation, Partnership Federation, Create Partnership (WSFED IP -> RP).
  2. Configure the Configure Partnership tab.
  3. Configure the Federation Users tab.
  4. Configure the Assertion Configuration tab.
  5. Configure the Single Sign-On and Sign-Out tab.
  6. Configure the Signature tab.
  7. Confirm the defined values.
Configure
the Configure Partnership Tab
By default, the partnership creation page displays the Configure Partnership tab. Provide general information about the partnership.
Follow these steps:
  1. Use the following values for the configuration:
    1. Partnership Name: 
      Ensure that the Partnership name is same as the STS service name.
      For example: SamplePartnership-Office365
    2. Local IDP ID: 
      Select Local IDP ID
      For example: https://casso-sps.caofficedemos.com
    3. Remote SP ID: 
      Select Remote SP ID (urn:federation:MicrosoftOnline)
    4. Base URL: 
      Is pre-populated
    5. Skew Time:
      30
    6. User Directories and Search Order:
      Select the user store from the Available Directories. For example, idpuserdir.
  2. If you are using the passive profile, proceed to the next screen. If you are using the active profile, configure the following parameters:
    1. Enable Metadata Exchange: 
      Creates a federation metadata document that reflects the active profile endpoints and data. The URL must be https://sps_host/affwebservices/public/FederationMetadata/partnership_name
    2. STS 
      for WSFED Active Profile: 
      Select the check box
    3. Enable IWA: 
      Enables the IWA support. This option is displayed only if you have selected the STS for WSFED Active Profile check box. 
    4. Lookup DN: 
      The DN query allows the Windows authentication scheme to locate the user in the user directory. This option is displayed only if the Enable IWA check box is selected. For example,(sAMAccountName=%{UID}) .
    Configure Partnership screen
  3. Click Proceed to Next Page.
Configure the Federation Users Tab
Specify the users and groups for which 
CA Single Sign-on
 can generate assertions.
Follow these steps:
  1. Use the following values for the configuration:
    1. Configure Federation Users: Select users to be federated (For example, All Users in Directory)
      Configure Federation Users
  2. Click Proceed to Next Page. 
Configure the Assertion Configuration Tab
Follow these steps to configure the assertion details:
  1. Use the following values for the configuration:
    Name ID Format
    1. Name ID Format:
      Unspecified
    2. Name ID Type:
      User Attribute
    3. Value:
      mail
    Assertion Attributes
    Assertion Attribute:
    UPN
    1. Namespace:
      http://schemas.xmlsoap.org/claims
    2. Type:
      User Attribute
    3. Value:
       Attribute containing the UPN (For example, mail)
    Assertion Attribute:
    ImmutableID
    1. Namespace: 
      http://schemas.microsoft.com/LiveID/Federation/2008/05
    2. Type:
      User Attribute
    3. Value: 
      sAMAccountName (User Attribute name which contains Immutable ID)
  1. Configure Assertion Configuration
  2. Click Proceed to Next Page.
Configure the Single Sign-On and Sign-Out Tab
Follow these steps to configure the single sign-on and sign-out operations.
  1. User the following values for the configuration:
    1. Authentication URL:  
      Enter the protected authentication URL
      Example: http://casso-sps.caofficedemos.com/affwebservices/redirectjsp/redirect.jsp
    2. SSO Binding:
      Select SSO Binding supported by the Service Provider – HTTP-Post
    3. Audience: 
      urn:federation:MicrosoftOnline
    4. Security Token Consumer Service URL: 
      https://login.microsoftonline.com/login.srf
    5. Enable Sign-Out: 
      Selected
    6. Add Sign-out Confirmation URL: 
      https://casso-sps:caofficedemos/affwebservices/public/signoutconfirmurl.jsp
    7. Add Sign-out URL:
      Sign-out URL of the RP service.   
      Example: https://login.microsoftonline.com/login.srf 
      sign-out url.png
  2. Click Proceed to Next Page
Configure the Signature Details
Follow these steps to specify how to sign an assertion and an assertion response to secure the messages:
  1. Use the following values for the configuration:
    1. Signing Private Key Alias:
      Verify that the correct Private Key Alias is selected
      Configure Signature Details
  2. Click Proceed to Next Page.
  3. Confirm the configured values in the Confirm tab.
Activate the Federation Partnership
Follow these steps to activate the configured federation partnership:
  1. Navigate to Federation, Partnership Federation, Federation Partnership List.
  2. Click Actions against the configured federation partnership and select Activate.
partnership activation.png
Test the Federation Partnership
Microsoft Office 365 supports both Service Provider and Identity Provider initiated login. The partnership has been tested using Microsoft Office 2013 and Office 2016 client applications.
Note
: All clients support seamless Windows authentication and the authentication with basic credentials depending on the environment and configuration. The Outlook client in Active Requestor Profile continues to prompt for password though it is configured for seamless authentication. This is the default behavior of the Outlook client until the password is saved.
Portal Testing (Browser-Based Access)
Test Microsoft Office Portal on Desktop Using IWA Authscheme
Following use case is SP initiated single sign-on flow between
CA Single Sign-on
 and Microsoft Office 365.
  1. Protect the authentication url given in the IDP to SP partnership with the IWA authentication scheme.
  2. Log in as the domain user (example: [email protected]) into the domain network (example: caofficedemos.com)
  3. Launch Internet Explorer. To support IWA, configure the browser using the following steps:
    1. From the menu bar in Internet Explorer, select Tools, Internet Options.
    2. Click the Security tab, select your Internet zone, and click Custom Level.
    3. In Security Settings dialog, scroll down to User Authentication, Logon.
    4. Select the Automatic log in with current user name and password option.
    5. Click OK.
  4. Access the URL: portal.microsoftonline.com
  5. Enter the user UPN and click Sign in.
    Office 365 user sign in.png
  6. The Microsoft Office 365 home page is displayed.
    Microsoft Office 365 home page
Test Microsoft Office Portal on Desktop Using Basic Authscheme
  1. Protect the authentication url given in the IDP to SP partnership with the Basic authentication scheme.
  2. Access the URL: portal.microsoftonline.com
  3. Enter the UPN and click Sign in.
    Office 365 user sign in.png
  4. Enter the log in credentials and click Login.
    Windows Security credentials
  5. The Microsoft Office 365 home page opens.
Microsoft Office 365 home page
Test Microsoft Office Portal on Mobile (iOS) Using Forms Authscheme
  1. Protect the authentication url given in the IDP to SP partnership with the Forms authentication scheme.
  2. Open Safari and access URL: portal.microsoftonline.com
  3. Enter the UPN of the user and click Sign in.
    Office 365 UPN.png
  4. Enter the log in credentials and click Login.
    Login Page
The Microsoft Office 365 home page opens.
Microsoft Office 365 home page on iOS
The scenario has been tested on Android mobile OS.
Single Log-out 
  1. Navigate to User and select Sign out.
    sign out.png
  2. After Logout, user is redirected to the configured SLO Confirm URL page.
Microsoft Office Rich Client Testing
Test Microsoft Word on Desktop Using Active Profile 
Domain joined client machine: 
    • Launch Microsoft Word. 
    • Microsoft Office client Word automatically logs you in seamlessly.
Non-domain joined client machine: 
    1. Launch Microsoft Word and click Sign-in.
    2. Enter the UPN of the user and click Next.
      word sign in.png
Provide user credentials and click Sign In.
word credentials.png
The user successfully signs into the Microsoft Word.
Microsoft Word home
Test Microsoft Word on Mobile (iOS) Using Forms Authscheme (Passive Profile)
  1. On Mobile, launch Microsoft Word or Microsoft Office Mobile app and click Sign in.
  2. On the Sign in page, enter the user’s UPN and click Next.
    Word ios sign in.png
Enter the user credentials and click Login. 
CA SSO Login screen
The user successfully logs in to the Microsoft Office.
 This scenario has been tested on Android mobile OS too.
Skype for Business (Lync) Testing
Ensure that the Domain DNS server has the required entries. See the Microsoft documentation. 
Test Skype for Business on Desktop Using Active Profile
Domain joined client machine:
  1. Log in with the domain user credentials.
  2. Launch Skype for Business application.
  3. Skype for Business application automatically logs you in seamlessly.
Non-domain joined client machine:
  1. From the client machine, launch Skype for Business application.
  2. Enter password and click Sign In.
    skype sign in.png
  3. User successfully logs in to the Skype for Business. 
    Skype for Business home
Test Skype for Business on Mobile (iOS) Using Active Profile
  1. Launch Lync 2013 app installed on the mobile.
  2. Provide username and password and click Sign In.
    Skype for Business on Mobile
  3. User successfully logs in to Lync.
    skype ios home.png
The scenario has been tested on Android mobile OS.
Microsoft Outlook 2013   
Ensure that the Domain DNS server has the required entries. See the Microsoft documentation.  
Test Outlook Client on Desktop Using Active Profile
  1. Launch Outlook 2013 installed on the Desktop.
  2. Provide a name to create new profile and click OK.
    Profile Name
  3. User account is auto-detected based on the user logged in.
    outlook add account.png
  4. Click Next. Provide user credentials and click OK.
    Windows Security Credentials
  5. Click Next and the Add Email Account window pops-up.
  6. Click OK.
    outlook add email.png
  7. Email account is successfully configured and is ready to use.
    Outlook configuration Finish
  8. Click Finish and user is logged in to the Outlook successfully.  
    Outlook home page
Test Outlook Client on Mobile (iOS) Using Forms authscheme (Passive profile)
  1. Launch Outlook App on mobile.
  2. Go to settings and click on Add Account.
  3. Select Microsoft Office 365. In the Sign in page, enter the user’s UPN and click Sign in.
    ios office 365.png  
  4. Enter the user credentials and click Login. The user is successfully logged in to the Microsoft Outlook.
ios exchange mailbox.png
This scenario has been tested on Android mobile too.
Test Outlook Client (Exchange) on Mobile (iOS) Using Active Profile
  1. Launch Mail on mobile and select Exchange.
    ios client exchange.png
  2. Provide the user credentials and click Next.
    Provide User credentials
  3. Select the options to synchronize and click Save.
  4. User is successfully signed into the exchange mailbox.
    Exchange mailbox
    This scenario has been tested on Android OS.
Troubleshooting
This section contains the following exceptions:
The Federation Partnership Is Inactive
If the federation partnership is inactive or not defined, the following error is displayed: 
HTTP Status 403- Bad Request error
Entity ID of Service Provider Is Misconfigured in
CA Single Sign-on
 
Entity ID used
- urn:federation:MicrosoftOnline:modified
Result
Authentication fails and displays the following error:
HTTP Status 403 error  
The following error message is logged in smps.log:
[5472/5988] [Thu Sep 10 2015 21:07:22] [WSFEDResourcePartnerby-IDTunnelService.java] [ERROR] [sm-FedServer-00330] Failed to obtain Resource Partner data by Partner ID.Partner ID: urn:federation:MicrosoftOnline 
Entity ID of Identity Provider Entity ID Is Misconfigured in Microsoft Office 365
Entity ID used
- htttps://casso-sps.ca.com
Result
Microsoft Office 365 sign in fails and the following error is displayed:  
error sign in.png
Security Token Consumer Service URL of Service Provider Is Misconfigured in 
CA Single Sign-on
Security Token Consumer Service URL used
-
 
https://login.microsoftonline.com/login
Result
 
Redirects to the specified URL after authentication with a blank page.  
webpage cannot found.png
Audience Field Is Misconfigured in 
CA Single Sign-on
Audience used: 
urn:federation:MicrosoftOnline:modified
Result
Authentication at Microsoft Office 365 is failed and the following error is displayed.  
Microsoft Office 365 Sin In error
The
CA Single Sign-on
 User Not Provisioned in Microsoft Office 365 
User who is authenticated in
CA Single Sign-on
, but not provisioned in Microsoft Office 365, is trying to log in to the Office 365, the following error message appears:
office 365 login error.png
CA Single Sign-on
 User who does not have Desired Attributes in the User Store
User ID used
 - feduser1
If the user's email id attribute is set to blank, which is the NameID Format used in the Partnership, the following error message appears:
office 365 login error 2.png
List of known Sign-in error codes
Refer to Microsoft error codes for the error message, “Sorry, but we're having trouble signing you in”, at https://support.microsoft.com/en-us/kb/2615736
Known Issues
User getting Error 800478AA from Microsoft Office 365 when trying to log in to portal.
Symptom
User sees a sign in error message, “Sorry, but we're having trouble signing you in” with an error code, 800478AA.This issue appears when the posted assertion indicates the XML in the assertion is badly formed.
The message appears only when you use 12.52 SP1 CR1 and CA Access Gateway (SPS) or WAOP. The message does not appear in 12.52 SP1 or 12.52 SP1 CR2.   
Solution
Upgrade CA Access Gateway or WAOP to 12.52 SP1 CR2 or later.  
Support Matrix
Microsoft Office Portal (Word, Excel, SharePoint Online)
Passive Profile
CA Single Sign-on
Version
Basic Authentication
Integrated Windows Authentication
12.52 SP1
Yes
Yes
12.51
Yes
Yes
Rich Clients (Word, Excel, Skype for Business, and Outlook)
Active Profile
CA Single Sign-on
Version
Basic Auth in Rich Client
Integrated Windows Authentication
12.52 SP1
Yes
Yes (CR4 onwards)
12.51
NA
NA
  • CA Single Sign-on
    supports Office 2013 clients, Office 2016 clients, and Active Directory Authentication Libraries (ADAL).
  • If ADAL is enabled on Office 2013 clients and tenants, rich clients use passive profile authentication.
  • ADAL is enabled by default on Microsoft Office 2016 clients. Rich clients use passive profile authentication when ADAL is enabled on tenant.
References
Directory Synchronization
Microsoft Office 365