Federating Azure Active Directory using Azure Federation with WSO2 Identity Server
- Dinika Senarath
- Senior Solutions Engineer - WSO2
Introduction
Are you planning on onboard Office 365 to your organization and looking for a user management model? Or are you an existing Office 365 customer who has experienced the challenges and limitations of user management solutions provided by Microsoft?
If so, Office 365 integration with WSO2 Identity Server is the perfect solution for your organization. It enables organizations with existing on premises active directory or any user stores to securely and conveniently extend user identities to Office 365 without the burden of Microsoft provided federation tools such as Active Directory Federation Services (AD FS). This integration provides user authentication to Office 365 seamlessly, provisions users to Azure Active Directory (Azure AD) in real time, and offers additional identity management features such as multi-factor authentication (MFA).
What is Azure AD?
Azure Active Directory (Azure AD) is Microsoft’s cloud based IAM service. Azure AD supports federated users of your organization to sign in and access external resources such as Microsoft 365, SaaS applications, Azure Portal, or internal resources such as applications in your own network.
What is Azure AD Tenant?
Azure Active Directory Tenant represents an organization in Azure AD. It’s a dedicated instance of Azure AD that an organization or an application developer will receive. In the Azure AD tenant, a user can manage their registered applications, configure their access to required data in Microsoft 365 and other third party web APIs, and manage features such as conditional access.
What is Office 365?
Office 365 is a subscription service offered by Microsoft, which allows individuals to use Microsoft’s Office suite and other applications such as Skype for Business, Yammer, SharePoint, and Exchange. Office 365 has become one of the biggest productivity suites in the market, helping organizations increase productivity with its expansive tools. Allowing users to access Office 365 securely and conveniently is a major requirement of any organization that moves towards Office 365.
How does Office 365 Authentication Work?
Office 365 uses two main authentication models — cloud authentication and federated authentication. The first model requires possessing fully cloud-based identities in the Azure Active Directory (Azure AD), Microsoft’s cloud-based user identity and authentication service. For an organization with an existing on-premises active directory or another user store, the entire user base will need to be brought to the cloud if this model is used.
The second model — federated authentication — allows an organization to manage user accounts on-premise and authenticate users of the on-premise user store to Office 365 using a federation server. The federated authentication model is the most advanced and grants more control over how users access Office 365 and other cloud services.
Deploying Office 365 with ADFS
Microsoft provides ADFS and Azure AD Connect for identity federation and single sign-on (SSO). But by using ADFS in your Office 365 deployment you may end up having to manage additional servers and resources on-premise. There is a considerable hidden cost associated with ADFS deployment which includes the cost of additional infrastructure, licensing, management, and maintenance. With the Microsoft provided approach, the organizations have limited user store options to take. And user synchronization with Azure cloud requires other Microsoft provided tools like Azure AD Connect. These limitations force an organization to move towards Microsoft tools. That is where WSO2 Identity Server comes into play.
Deploying Office 365 with Active Directory Federation Services
Microsoft provides Active Directory Federation Services (AD FS) and Azure Active Directory (Azure AD) Connect for identity federation and Single Sign On (SSO). By using AD FS in your Office 365 deployment, you may end up having to manage additional servers and resources on-premise. There is a considerable hidden cost associated with the AD FS server deployment which includes the cost of additional infrastructure, licensing, management, and maintenance. With the Microsoft provided approach, organizations have limited user store options. User synchronization with Azure cloud requires other Microsoft provided tools like Azure AD Connect. These limitations force an organization to move towards Microsoft tools. That is where WSO2 Identity Server comes into play.
Deploying Office 365 with WSO2 Identity Server
WSO2 Identity Server, an identity provider capable of federation with Azure AD, can be used as a better option to alleviate the burden of AD FS, and Azure AD Connect to authenticate on-premise users to Office 365. If you are using AD FS, the user store should be an Active Directory or LDAP directory. But, WSO2 Identity Server supports a wide range of user store types, and you do not need to migrate your existing user store to any AD to deploy Office 365. WSO2 Identity Server enables your organization to securely, and conveniently deploy Office 365 with your existing on-premise user stores without using AD FS or Azure AD Connect. WSO2 Identity Server Office 365 integration supports key capabilities including:
- Single Sign On - seamlessly authenticate users to all Office 365 resources
- Real-time user provisioning to the Azure cloud
- License management
- Multi-factor authentication
Apart from these, an organization that onboards WSO2 Identity Server can benefit much more from the rich set of identity management capabilities that cater to a large variety of use cases.
Learn more about WSO2 Identity Server >
Interoperability Between WSO2 Identity Server and Azure AD
The compatibility of WSO2 Identity Server for the purpose of federation with Azure AD has been validated by following the guidelines provided by Microsoft in the Azure AD federation compatibility list IDP Validation. The purpose of performing these validation tests is to enable customers to adopt Office 365 with minimal friction and to be confident in the interoperation between Office 365 and WSO2 Identity Server.
WSO2 Identity Server supports federation with WS-* (WS-Federation and WS-Trust) and SAML 2.0 authentication protocols. This federation connectivity has been tested using Microsoft Connectivity Analyzer Tool which is a self-service SSO debug tool provided by Microsoft.
WSO2 Identity Server has been tested for supporting different authentication scenarios supported by Office 365 under various test configurations as specified in the Azure federation compatibility list. The different applications with different authentication patterns that are supported by WSO2 are:
- Web client applications like Outlook on the Web/SharePoint Online Portal
- Rich client applications like Skype for Business/Office Subscription/ CRM (Dynamic CRM)
- Email clients like Outlook/ ActiveSync
- Modern applications like Office 2021
The following scenarios are tested for all four application categories mentioned above.
- Authentication of users inside the corporate network on a domain-joined client machine using username/password
- Authentication of users inside the corporate network on a workgroup client using username/password
- Authentication of users outside the corporate network on a domain-joined machine using username/password
- Authentication of users outside the corporate network on a workgroup client using username/password
Federation with WS-* supports both active and passive profiles. Passive profiles are required for supporting web-based clients, and active profiles are required for supporting rich client applications and email clients. Federation with SAML 2.0 supports SSO with web-based clients only.
Below is a summary of tests carried out for WSO2 Identity Server to test the federation compatibility with Azure Active Directory.
Testing Interoperability Scenario Requirements
| Authentication of users INSIDE the Corp. network on a domain joined machine using username/pwd | Authentication of users INSIDE the Corp. network on a workgroup client using username/pwd | Authentication of users OUTSIDE the Corp. network on a domain joined machine using username/pwd | Authentication of users OUTSIDE the Corp. network on a workgroup client using username/pwd | |
|---|---|---|---|---|
| Web Client Applications | ||||
| Office 365 Portal |
 |
|
|
|
| Outlook on the Web |
|
|
|
|
| SharePoint Online |
|
|
|
|
| Rich Client Applications | ||||
| Skype for Business |
|
|
|
|
| Office Subscription |
|
|
|
|
| Email Clients | ||||
| Outlook |
|
|
|
|
| Modern Applications | ||||
| Office 2021 |
|
|
|
|
Testing Validation Requirements
| Scenario | Status |
|---|---|
| Sign-in using federated credentials to the Office 365 administration portal using an administrator account. |
|
| Download Office 365 Pro Plus from the Office 365 portal and sign-in from the Office client. |
|
| Sign-in to the Outlook client from the downloaded Office 365 Pro Plus software using the federated identity. |
|
| Sign-in to the Skype for Business client from the downloaded Office 365 Pro Plus software using the federated identity. |
|
| Sign-out from the Office 365 administration portal. |
|
Conclusion
The above tests specified by Microsoft Azure Active Directory (Azure AD) Federation Compatibility program are passed by WSO2 Identity Server version 5.11 successfully, which supports the claims that WSO2 Identity Server is compatible for the purpose of identity federation of Office 365 users. Therefore, it is ensured that the organizations that onboard WSO2 Identity Server can integrate Office 365 to their organization with ease and confidence.