ContentsOverview.....................................................................................................................................................2

Setup ADFS Server.......................................................................................................................................3

Join ADFS server to domain.....................................................................................................................3

Create ADFS Service Account..................................................................................................................3

Install ADFS Role......................................................................................................................................3

Generate CSR from ADFS server..............................................................................................................6

Request Cert from your CA......................................................................................................................8

Run ADFS Configuration Wizard..............................................................................................................8

Check SPN of the Service Account.........................................................................................................13

Update Internal DNS record......................................................................................................................13

Verify ADFS URL from Client Machine.......................................................................................................13

O365 Tenant Preparation..........................................................................................................................14

Install Azure AD Connect for Identity Sync............................................................................................14

Configure Azure AD Connect for ADFS..................................................................................................17

Verify Identify sync................................................................................................................................26

Verify SSO from Client Machine................................................................................................................26

Reference..................................................................................................................................................28

Version Date Author Change Description1.0 16 Sep 2016 Shankar Paulraj Initial draft1.1 17 Sep 2016 Shankar Paulraj Certificate CN details & ADFS Service Account

OverviewThe guide cover steps involved in setting up ADFS and Azure AD connect in order to achieve O365 Single Sign-On.

The Azure AD Connect available from the O365 portal makes the whole SSO setup easier, the Azure AD Connect Configuration Wizard helps to verify the ADFS server farm configuration and performs the necessary configuration on the O365 tenant such as setting up tenant for federated identity.

Office 365 Services

ADFSAD + Azure AD

Connect

mylab.local

radiancecommslab.com

User1

User attempts to login to O365

& gets re-directed to ADFS

Auth

The above setup does not include an ADFS proxy server, an ADFS proxy is needed for the above setup if we have client outside the customer network that are trying to access O365 services.

High level Requirements

2 x Windows 2012R2 Standard Edition VM (AD & ADFS)

1 x Windows 10 VM (Client)

1 x Working O365 Tenant

Setup ADFS Server

Join ADFS server to domainCreate ADFS Service AccountCreate a Domain User account “adfs” who’s password does not expire. Later this will be the service account used for running ADFS service.

Install ADFS Role

Generate CSR from ADFS serverRun DigiCert Certificate Utility on the ADSF Server.

CN= <federation service name>

SAN=<federation service name>

Request Cert from your CA. For my lab I used https://www.startssl.com/.

Free SSL certificate can be obtained from https://startssl.com/OTPLogin for LAB environment.

Obtain the public cert and install it on the ADFS server.

Run ADFS Configuration Wizard

Enter the service account adfs@mylab.local created previously.

Check SPN of the Service Account

Update Internal DNS recordAdd STS record.

Verify ADFS URL from Client MachineAccess ADFS URL (https://sts.radiancecommslab.com/adfs/ls/IdpInitiatedSignon.aspx) from client machine.

O365 Tenant PreparationAssumption: O365 Tenant has been setup, including custom domain “radiancecommslab.com” and DNS verification.

Install Azure AD Connect for Identity SyncFor this lab, I will install Azure AD Connect on AD server.

The latest version of the software can be downloaded from the O365 Portal.

Configure Azure AD Connect for ADFS

Verify Identify syncLogin to O365 portal and verify if On-Prem users are synchronized to cloud.

User1 and User2 are Sync from On-Prem to O365.

Verify SSO from Client MachineLogin to client machine as domain user “User1” and try to login to Office 365 portal.

When trying to enter password,

- The user will be automatically re-directed to ADFS server.- The user’s windows login credentials will be automatically used for authentication.- The user will be logged-in to O365 portal.

Referencehttps://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365/