Archive

Posts Tagged ‘ADFS’

#Office365 Single Sign On Smart Links

November 6, 2014 2 comments

Consider the following scenario… You have migrated your company intranet to SharePoint online and wish to deploy the site as the IE homepage for your staff.

You have ADFS to provide a rich single sign on experience but you still get the Microsoft organizational sign in page when you first login to Office 365.

Using ADFS 2.0 or above, on-prem staff can bypass this login and navigate directly to the SharePoint site by using Smart Links. External Staff will bypass the Microsoft Sign In screen and go straight to your ADFS Proxy landing page.

Interested? Let’s begin.

image

Prerequisites:

Or

  • ADFS 3.0: Disable Extended protection token on ADFS Server to allow Fiddler HTTPS decryption
    Set-ADFSProperties -ExtendedProtectionTokenCheck None
  • IIS7 or above.

 

Step 1

Open Fiddler and enable HTTPS traffic decryption.
(It is not necessary to enable Windows 8 Mode even on a Windows 8 client for this procedure)

image

Step 2

Ensure you are logged out of Office 365 and sign into https://portal.micosoftonline.com where you should meet the Office 365 login page. (This must be done internally)

Step 3

Open fiddler and login to Office 365.
You should be taken to your destination without having to enter in any credentials as normal.

(If you get an authentication prompt that will not resolve you need to disable extended protection in ADFS as per the prerequisites).

Step 4

Look for a HTTPS 302 redirection from your ADFS server and copy the URL to notepad.

image

Step 5

In notepad, remove the text between ls/? and wa=wsignin
Remove all text after wreply%3D

This is your Smart URL and this will form the base part of any links you wish to give out to Office 365.

Step 6

Append the URL after wreply%3D with the target Office365/SharePoint site you wish to direct your users to using base encoding.

For example, https://yourcompany.sharepoint.com becomes https%253A%252F%252Fyourcompany%252Esharepoint%252Ecom

Or

https://yourcompany.sharepoint.com/sales becomes https%253A%252F%252Fyourcompany%252Esharepoint%252Ecom%252Fsales

Substitute with your site URL as appropriate. The final link should look like this:

https:/adfs.yourcompany.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%3Fwsilnin3.0%26aeiou%3D9%26fa%4D5

275200813%26rves%3D3.2.2202.0%26wi%3DJUI%16wreply%3Dhttps%253A%252F%252Fyourcompany%2

52Esharepoint%252Ecom

*Verify this link works by copying it into a IE Private Session that has not been logged into Office 365.

You should be taken straight into 365 and should not have to enter in your credentials.

Step 7

Create internal and external DNS records for your vanity URL to point to your IIS Server.

For example we want to use http://intranet.yourcompany.com as an easy to remember link that passes single sign on and not the full URL we have created in Step 6.

As this is going to be our homepage set via group policy we need to ensure we can resolve this URL Internally and Externally.

Step 8

Create a new site in IIS for your vanity URL by right clicking the sites folder.

Create a new physical path (This will not be used) and add the DNS name you created in Step 7 to the host name.

image

Step 9

Select HTTP Redirect and paste your URL from Step 6 into the destination box.

image

Once these steps have been completed your users should be able to use easy to remember links to connect to Office 365 without the need to enter credentials.

This works for the Office 365 Suite with the exception of CRM.

To get CRM to work you will need to perform the same actions from Step 3 changing the Office 365 link you were going to, (youcompany.sharepoint.com for example) to your CRM login.

Capture the URL and remove the text between ls/? and wa=wsignin

DO NOT append after wreply%3D otherwise the link will fail.

Continue the steps as described for the Office 365 smart link.

References

Excellent blog post from David Ross which forms the foundation of this blog post.
http://blog.kloud.com.au/2012/10/12/office-365-smart-links/

Official Microsoft Post
http://community.office365.com/en-us/w/sso/358.using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Categories: ADFS, CRM, Office 365, SharePoint Tags: , , , , , ,