cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions about using third party IdP to authenticate to Office 365

ga-admin
Copper Contributor

‎Apr 22 2020 08:03 AM - edited ‎Apr 22 2020 08:19 AM

‎Apr 22 2020 08:03 AM - edited ‎Apr 22 2020 08:19 AM

Questions about using third party IdP to authenticate to Office 365

I am setting up Google as the identity provider, and no issues with the setup, its working fine, but i have a few questions-:


1. I used Global Admin role to setup SSO, but i want to delegate future domains federation without giving global admin role, so i want to know which Office 365 role (instead of Global admin) or permission is allowed to setup federation? 

2. I understand Office 365 users immutableId will be the base64 version of AD objectGUID if we use directorySync, but what if we do not use directory sync (cloud only), what would be the immutableId in that case, will it be user's primary email id?

3. What does Office 365 need from IdP in the nameId of SAML to identify and authenticate the user, is it immutableId or UPN or user's primary email address?

4. I have put logoutUri when setting up federation via Powershell (e.g $LogOffUri = “https://mywebsite.com”) but it does not take user there when logging out, rather logs out at office 365 home page.

 

Thank you so much in advance for sharing your insights.

Labels:
3,365 Views
0 Likes
1 Reply
Reply
1 Reply
Joe Stocker

‎May 10 2020 11:31 PM

‎May 10 2020 11:31 PM

Re: Questions about using third party IdP to authenticate to Office 365

For question #1, it appears Global Admin is required, as I don't see a separate role available for configuring federation according to this article here:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-sso-deployment#required-adm...

For question #2, the UserPrincipalName is the unique identifer when it is a cloud-only account.

For question #3 we recommend using UserPrincipalName for nameid

For question #4, In the Sign-out page URL field in Google Cloud (G Suite) Connector, paste the value of Logout URL which you have copied from Azure portal. There is a video here:
https://azure.microsoft.com/en-us/resources/videos/enable-single-sign-on-to-google-apps-in-2-minutes...

If this post was helpful please mark as best response, thank you.
0 Likes
Reply