Federating Azure AD with WSO2 Identity Server
By Dinika Senarath
- 20 Dec, 2018
Are you planning on onboarding Office 365 to your organization and looking for a user management model? Or are you an existing Office 365 customer who has experienced the challenges and limitations of user management solutions provided by Microsoft?
Then Office 365 integration with WSO2 Identity Server is the perfect solution for your organization. It enables organizations with existing on-premise user stores to securely and conveniently extend user identities to Office 365 without the burden of Microsoft provided federation tools such as Active Directory Federation Services (ADFS). It is capable of authenticating users to Office 365 seamlessly, provisioning users to Azure Active Directory (Azure AD) in real time, and providing additional identity management features like multi-factor authentication.
What is Office 365?
Office 365 is a subscription service offered by Microsoft, which allows the use of Microsoft’s Office suite and other productivity applications such as Skype for Business, Yammer, SharePoint, and Exchange. Office 365 has become one of the biggest productivity suites in the market which increases productivity in organizations using its expansive tools. Allowing users to access Office 365 securely, and conveniently is a major requirement of any organization that moves towards Office 365.
How does Office 365 Authentication Work?
Office 365 uses two main authentication models — cloud authentication and federated authentication. The first model requires having fully cloud-based identities in the Azure AD, which is Microsoft’s cloud-based user identity and authentication service. For an organization with an existing on-premise user store, the entire user base will need to be brought to the cloud if this model is used. The second model — federated authentication — allows an organization to manage user accounts on-premise and authenticate users of the on-premise user store to Office 365 using a federation server. Federated authentication model is the most advanced, and with more control over how users access Office 365 and other cloud services.
Deploying Office 365 with ADFS
Microsoft provides ADFS and Azure AD Connect for identity federation and single sign-on (SSO). But by using ADFS in your Office 365 deployment you may end up having to manage additional servers and resources on-premise. There is a considerable hidden cost associated with ADFS deployment which includes the cost of additional infrastructure, licensing, management, and maintenance. With the Microsoft provided approach, the organizations have limited user store options to take. And user synchronization with Azure cloud requires other Microsoft provided tools like Azure AD Connect. These limitations force an organization to move towards Microsoft tools. That is where WSO2 Identity Server comes into play.
Deploying Office 365 with WSO2 Identity Server
WSO2 Identity Server, as an Azure AD federation compatible identity provider, can be used as a better option to alleviate the burden of ADFS, and AAD Connect to authenticate on-premise users to Office 365. If you are using ADFS, the user store should be an Active Directory or LDAP directory. But, WSO2 Identity Server supports a wide range of user store types, and you do not need to migrate your existing user store to an AD to deploy Office 365. WSO2 Identity Server enables your organization to securely, and conveniently deploy Office 365 with your existing on-premise user stores without using ADFS or Azure AD Connect. WSO2 Identity Server Office 365 integration supports key capabilities including
- SSO - seamlessly authenticate users to all Office 365 resources
- Real-time user provisioning to the Azure cloud
- License management
- Multi-factor authentication
Apart from these, an organization that onboards WSO2 Identity Server can benefit much more from the rich set of identity management capabilities that cater to a large variety of use cases.
Interoperability between WSO2 Identity Server and Azure AD
The compatibility of WSO2 Identity Server for the purpose of federating with Microsoft Azure AD has been validated by following the guidelines provided by Microsoft in Azure AD federation compatibility list IDP Validation. The purpose of performing these validation tests is to enable our valued customers to adopt Office 365 with minimal friction and to be confident in the interoperation between Office 365 and WSO2 Identity Server.
WSO2 Identity Server supports federation with WS-* (WS-Federation and WS-Trust) and SAML 2.0 authentication protocols. This federation connectivity has been tested using Microsoft Connectivity Analyzer Tool which is a self-service SSO debug tool provided by Microsoft.
WSO2 Identity Server has been tested for supporting different authentication scenarios supported by Office 365 under various test configurations as specified in Azure AD federation compatibility program. The different applications with different authentication patterns that are supported by WSO2 are
- Web client applications like Outlook on the Web/ SharePoint Online/ Portal
- Rich client applications like Skype for Business/ Office Subscription/ CRM (Dynamic CRM)
- Email clients like Outlook/ ActiveSync
- Modern applications like Office 2016
The following scenarios are tested for all four application categories mentioned above.
- Authentication of users inside the corporate network on a domain-joined client machine using username/password
- Authentication of users inside the corporate network on a workgroup client using username/password
- Authentication of users outside the corporate network on a domain-joined machine using username/password
- Authentication of users outside the corporate network on a workgroup client using username/password
Federation with WS-* supports both active and passive profiles. Passive profiles are required for supporting web-based clients, and active profile is required for supporting rich client applications and email clients. Federation with SAML 2.0 supports SSO with web-based clients only.
Below is a summary of tests carried out for WSO2 Identity Server to test the federation compatibility with Azure AD.
Testing interoperability scenario requirements
|Authentication of users INSIDE the corp network on a domain joined machine using username/pwd||Authentication of users INSIDE the corp network on a workgroup client using username/pwd||Authentication of users OUTSIDE the corp network on a domain joined machine using username/pwd||Authentication of users OUTSIDE the corp network on a workgroup client using username/pwd|
|Web Client Applications|
|Office 365 Portal|
|Outlook on the Web|
|Rich Client Applications|
|Skype for Business|
Testing validation requirements
|Sign-in using federated credentials to the Office 365 administration portal using an administrator account.|
|Download Office 365 Pro Plus from the Office 365 portal and sign-in from the Office client.|
|Sign-in to the Outlook client from the downloaded Office 365 Pro Plus software using the federated identity.|
|Sign-in to the Skype for Business client from the downloaded Office 365 Pro Plus software using the federated identity.|
|Sign-out from the Office 365 administration portal.|
The above tests specified by Microsoft Azure Active Directory Federation Compatibility program are passed by WSO2 Identity Server version 5.7.0 successfully, which claims that WSO2 Identity Server is proven to be compatible for the purpose of identity federation of Office 365 users. Therefore, it is ensured that the organizations who onboard WSO2 Identity Server can integrate Office 365 to their organization with minimal friction and greater confidence.