Testing Single Sign-on to the NEW Office 365

Now that we have AD FS setup and Directory Sync up and running. We can test single sign-on to Office 365. Let’s clear up on misconception about single sign-on. Most people think that single sign-on implies that they sign on once and they never get prompted for credentials again. This is wrong. What single-sign on allows us to do is use a single account (username and password) to authenticate to multiple services. In our case, our user name and password, from local AD, will allow us to access services in Office 365.

In order to complete our testing, we need to test single-sign on from the internal network and from the internet. This post is going to make the assumption that you have activated and licensed the synchronized user in Office 365. If you haven’t please use this BLOG post to do that.

 

Testing from Internal

Before we test single sign-on, we need take some additional steps.

  1. Make sure that the client computer is domain joined

     

  2. Make sure that the user is logging into the computer with domain credentials

     

  3. Verify name resolution to the internal AD FS server farm. This can be done by simply pinging the AD FS server farm name. If the name does not resolve, please verify that the correct DNS entries are added to the private DNS servers.

     

  4. Add the internal AD FS server farm address to the Local Intranet zone. If this is not done, the users will be prompted for credentials from the AD FS server. Adding the AD FS server farm address to the Local Intranet zone allows IE to pass your credentials to the webpage added to the zone.
    1. Open Internet Explorer
    2. Open Internet Options
    3. Click Security
    4. Click Local Intranet
    5. Click Sites
    6. Click Advanced
    7. Enter the address to your internal AD FS server farm (https://sts.domain.com)
    8. Click Add
    9. Click Close

       

Verify AD FS with the Microsoft Office 365 Portal Site

  1. Open Internet Explorer

     

  2. Navigate to the Office 365 Portal Site

     

  3. Enter your user account in UPN format (username@domain.com)

     

  4. As soon as to tab to the password field, Office 365 will check to see if your domain is enabled for single sign-on. If it is, you’ll be redirected to your local AD FS farm for authentication. Since we added this site to our local intranet zone, the local credentials are passed to the webpage and authentication should be seamless to the user.

     

  5. Once authentication happens, you are redirected to the Microsoft Office 365 portal site and logged in as the user.

     

 

 

Testing from External

Before we can test the client logon there is some information that we should verify.

  1. Make sure that the user knows their domain credentials

     

  2. Verify name resolution to the external AD FS Proxy server. This can be done by simply pinging the AD FS server farm name. If the name does not resolve, please verify that the correct DNS entries are added to the public DNS servers.

     

Verify AD FS with the Microsoft Office 365 Portal Site

  1. Open Internet Explorer

     

  2. Navigate to the Office 365 Portal Site

     

  3. Enter your user account in UPN format (username@domain.com)

     

    As soon as to tab to the password field, Office 365 will check to see if your domain is enabled for single sign-on. If it is, you’ll be redirected to your AD FS Proxy Server for authentication

     

     

  4. Enter your User ID in UPN format (userid@domain.com)

     

  5. Enter your password

     

  6. Click Sign In

     

  7. The user us authenticated and then redirected back to the Office 365 Portal Site.

 

Testing External Connection while Connected to the Internal Network

When testing AD FS, you are usually on the inside of the network and won’t have access to an outside connection. Microsoft has a tool that allows for an external test to be run while providing some more troubleshooting information.

  1. Open Internet Explorer

     

  2.  

  3. Click Office 365 tab

     

  4. Click Office 365 Single Sign-On Test

     

  5. Click Next

     

  6. Enter your user account and password

     

  7. Check that you understand the acknowledgement

     

  8. Enter the verification information

     

  9. Click Perform Test

     

  10. The test starts

     

  11. When the test is complete, you will get some detailed information on the process. My test passed, but had some warnings. After viewing the warnings, I can dismiss them.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

12 thoughts on “Testing Single Sign-on to the NEW Office 365

  1. Pingback: Testing Single Sign-on to the NEW Office 365 -

  2. Pingback: Testing Single Sign-on to the NEW Office 365 - Office 365 MVPs

  3. Kevin Sawyer

    So Microsoft has redefined Single Sign On to mean “the same account works a bunch of places, but you get to re-enter your credentials” instead of “because the same account works a bunch of places, you don’t have to re-enter your credentials”…? That’s ridiculous.

    Brand new Windows Server Essentials 2012 R2. Office365 for hosted Exchange. Clients should be able to log into Windows 7/8, fire up Outlook 2013 and NOT HAVE TO ENTER THEIR PASSWORD AGAIN.

    Not cool… Very disappointed.

    Now delete my comment before over 9,000 people agree. :\

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Glad that you got that off your chest? You do know that I don’t work for Microsoft, right? Sorry for trying to offer you some free help!

      Reply
      1. Matt

        maybe clarify that its microsofts misconception about SSO. article openning makes it sound like ‘we’ are uninformed, rather than MS getting this one wrong.

        Reply
        1. Kelsey EppsKelsey Epps Post author

          I guess its open to interpretation. We are using their service, so I would lean towards using their version of the story. Not saying that you are wrong or that I dont agree with you, but I try to align with Microsoft.

          Reply
    2. Jimi

      I couldn’t agree more Kevin.

      Kelsey thanks for this detailed post but as an architect I have to explain to my end users why they can’t enjoy a behaviour the get from all other systems we offer. They are not interested in the short comings of Office 365 they will blame it on design. We are even moving exchange online and that presents the same issues.

      If as an MVP you can suggest this enhancement, I am sure many will thank you profusely. I for one will build a statue in your honour with my bare hands.

      Reply
    1. Kelsey EppsKelsey Epps Post author

      look for things to change in the future. Microsoft has made announcements on how they are looking to change to enable true SSO

      Reply
  4. Steve

    Is there a KB from MS that specifies the need to enter in your username before it will log you in? Or any information from MS in regards to changing or enabling “true SSO”?

    Reply

Leave a Reply