Setting up AD FS and Enabling Single Sign-On to the NEW Office 365

In order to enable Single Sign-on with the NEW Office 365, there are a number of steps that need to happen. This series of posts will cover setting up the AD FS server and completing the federation process with Office 365. Before you try to setup federation it’s always a good idea to document your solution. This will make it a lot easier to achieve your end goal. This will be the end goal architecture for setting up AD FS, AD FS Proxies and Directory Synchronization.

This is a typical highly available setup into Office 365. Ideally this server will be installed as virtual servers on multiple Hyper-V hosts. Think about redundancy, not only in the virtual servers, but in the Hyper-V servers as well. Install one AD FS and one AD FS Proxy on one Hyper-V host and the other AD FS and AD FS Proxy on another Hyper-V host. This prevents loss of service from a hardware failure. Keep in mind that once you are using Single Sign-on with Office 365, you rely on your local Active Directory for authentication. Later on in the Getting to Know the NEW Office 365 series, I will cover how to make these roles highly available. For now we will install single roles to get the service up and running.

 

 

Prepare the Base Servers

 

After reviewing the architecture above, you will notice that I am using Windows Server 2012 for the base OS on all the server roles.

AD FS Server

  1. Base build the AD FS server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates

AD FS Proxy Server

  1. Base Build the AD FS Proxy server with Windows Server 2012
  2. Setup a connection to the DMZ network (verify connectivity to the AD FS server on port 443)
  3. DO NOT add the server to the local domain
  4. Update the server with all Windows Updates

Directory Sync Server

  1. Base build the Directory Synchronization server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates

 

Prepare Active Directory

 

Add UPN Suffix

If you are using and internal domain name that doesn’t match the domain that you want to federate with Office 365 you will have to add a custom UPN suffix that matches that external name space. If you need to add the UPN suffix, please follow these instructions, http://support.microsoft.com/kb/243629

Example

Internal Domain Name – contoso.local

Desired Federated Domain – contoso.com

 

Clean up Active Directory

This makes sense for so many reasons, but the most for Directory Sync. We can filter the OUs that we want to sync to Office 365; you can checkout this BLOG post on how to do that. I generally make an OU for all the Office 365 Services; then create more OUs within that one for all the user accounts, services accounts, groups, servers and computers. This will allow us to filter on user accounts and groups when we enable Directory Synchronization with Office 365. The less number of objects that you sync with Office 365 is better. If you have thousands of objects replicating, that don’t need to be, things will get messy really quick. Keep it clean and neat. This will prevent mistakes and keep you head ache free.

 

Complete Series:

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

2 thoughts on “Setting up AD FS and Enabling Single Sign-On to the NEW Office 365

  1. Gaurav

    We have local ADs at our four office locations with same local domain names. Could you please guide us if we can link all these local ADs which have the same domain names to our office365.

    In addition, will the SSO work if the user is not connected to the office local LAN.

    Reply
  2. Pingback: OWA customization and development - Dan's WebDAV 101 - Site Home - MSDN Blogs

Leave a Reply