Clearlogin - Microsoft Office 365 SSO Federation

BEFORE PERFORMING THIS PROCESS, PLEASE NOTE:  When federating Office 365 with Clearlogin, you will no longer be able to use Azure as an Identity Source.  Doing so will create a circular dependency (like with Google Apps) that will cause infinite login loops.  This is a Microsoft limitation and not a Clearlogin one.

You will need to use a local Active Directory domain controller as your Identity Source going forward.

Also, upon federation with Office 365 you will have to perform all user management via a local Active Directory domain controller.  This is because you will be locked out of making changes to users and groups in Azure Active Directory.

Any users that have not filled out their account recovery information will not be redirected to Office 365 after authentication via the SP (unless the soft enforcement redirect is not enabled on the tenant) if they were not already logged into Clearlogin.

Pre-requisites

A local Active Directory (AD) domain controller (DC) sync’d to Azure AD.

Modern Authentication enabled in the Office 365 tenant.

Azure PowerShell Cmdlets

• Requires .Net Framework 4.7.2 or later.
• Run “Install-Module -Name Az” from PowerShell to install.
  If prompted over the trustworthiness of the repository, allow it. This is a Microsoft-ran repository.
• Install the latest release of Az-Cmdlets (the MSI under “Assets”): https://github.com/Azure/azure-PowerShell/releases

A Clearlogin tenant

• Standard or greater license.
• Configured and working Active Directory domain controller Identity Source.
• Pre-configured Office 365 app connector selected (located in the app catalog as “Office 365 – SAML", no other configuration is required).
• Take note of the Clearlogin SSO URL (Login) and Clearlogin Metadata URL.  Look for a "-number" in the URL (office365-2 in the below example).  You will need to add this to the script later.
  • 
• Save the app connector’s public certificate (a .pem) via the app connector’s display page.
  
  
  
  

The attached PowerShell script (officefederation.ps1)

officessofederation.ps1


Procedure

1. Open officefederation.ps1 in PowerShell ISE.
   
   
   
   
2. As you can, there six lines with empty quotation marks. Enter the following in-between each set of quotation marks:
   
   Line 3:  Your Azure “onmicrosoft” administrator username that is not associated with your domain (for the sake of this example, mine is adm-syedwab@evolveiptest.onmicrosoft.com)
   Line 8:  Your Clearlogin sub-domain name (just the domain name, so “blueprintmail” for example)
   Line 9:  Your Microsoft-managed domain name (such as blueprintmail.com)
   Line 10: Your company name (IE:  Blue Print Mail)
   Line 11:  Your Clearlogin tenant’s full URL:
   (https://blueprintmail.clearlogin.com, but with your sub-domain instead)
   Line 15:  The path on your local desktop to the “office365_public_cert.pem” file that you saved earlier
   Lines 28 and 29:  Append the "-number" to the URL (if needed) as you noted above in the app connectors Clearlogin SSO URL (Login) and Clearlogin Metadata URL sections.
   
   
   
3. Run lines 3 and 4.
   
   
   
   Enter your password.
   
   
   
   If all goes well, you will not receive any error messages or feedback.
   
   
   
   
4. Run lines 8 through 11.
   
   
   
   Again, no errors or feedback should be displayed.
   
   
   
   
5. Run lines 15 through 17.
   
   
   
   Your terminal should look like the following if the certificate is set correctly.
   
   
   
   
6. Run lines 22 - 39.
   
   
   
   Output should look like the following.
   
   
   
   
7. Run line 41 to verify that all previous steps were successful.
   
   
   
   
   
   
   
   
8. Test your newly federated domain by logging in to it via your app tile or https://www.office.com.
   
   If authenticating via office.com, you will be redirected to Clearlogin.