The SDO service allows users secure, password-free access to Microsoft 365 portals and services. Users are able to log into the console by authorizing the connection through an app on their phone. This article provides the steps needed to enabled the SDO service for Microsoft 365 and federate the domain that SDO will use for access.
Intermediary Domain Considerations
Accessing the Office 365 environment through SDO requires the federation of a domain with SDO. Once a domain is federated, users logging into any Office 365 account with that domain will automatically be redirected to the SDO platform to authorize their login via the Authenticator App. In most cases, a company will opt to federate their primary domain so that users can log in with the same address where they receive email. However, there are some circumstances that may exist where a company may not want to federate their primary domain to SDO, such as:
- The primary domain is already federated, such as to a local or hosted Active Directory for the purpose of local network workstation access.
- The syncing of user credentials between a local network and Office 365 via AD Sync.
- The use of third-party Single Sign-On solutions for other applications or environments
If a company prefers not to federate their primary domain, they can instead set up SDO through the use of an Intermediary domain. This can be any other custom domain that has been added and verified in the Office 365 tenant. Please note that the domain must be unique in the tenant, and a sub-domain of another domain in the tenant cannot be federated separately from the root domain.
When an intermediary domain is used for SDO, that domain must be assigned as an alias to each user in the tenant that will use SDO Authentication. An extra step is also required by users to log into any Office 365 service. When initially logging into the Office 365 service, users will first enter their intermediary domain address in the Office 365 username prompt. This will redirect them to the SDO Authentication prompt, in which they will then need to enter their primary alias. This will trigger the SDO Authenticator App for authorization as normal.
Enabling SDO for Office 365
- 1. In the Control Panel, click on My Services from the left-hand menu.
- Click on the Secret Double Octopus vendor band to expand it.
- Under the expanded vendor band, click on the Services tab.
- Click on the Edit button for Microsoft Office 365
- Select your primary domain from the Domain drop-down field.
- Click the Activate Microsoft Office365 button.
- Click on the Service Metadata tab.
- The Service Metadata page will show the Login URL, Logout URL, and Issuer URL for your SDO authentication connection. Record each of these URLs, as they will be used to set up Office 365 for SDO access.
- Copy the contents of the X.509 Certificate text box.
- Open a text editor such as Notepad and paste the copied X.509 Certificate text.
- Under the File menu, select Save As, and save the file with a to .pem file extension
- Save the file to an easily found location on your computer (a drive root will be the easiest to reference).
Setting up the Office 365 tenant for SDO Authentication
Configuring Office 365 for SDO Authentication requires the execution of a number of commands in Powershell. You must connect to the Powershell session using Global Administrator credentials. If you have any questions about connecting via Powershell, or would like our Support team to execute the commands on your behalf, please contact our team.
Important: Before you begin, verify that you have installed the required PowerShell modules (Software Requirements). Please note that the requires MS Online module only support Windows Powershell versions. Mac and Unix Powershells are not supported by the module.
1. Open PowerShell, as an administrator, and run the following commands to insure you have the proper modules installed to proceed.
Install-Module -Name AzureAD
2. In the PowerShell window, enter the following command and hit Enter:
3. Log in with your Global Admin credentials.
4. Enter the following command, inserting your intermediary domain, and hit Enter.
$dom = “<additional Office365 Intermediary domain name>”
5. Enter the following command, inserting your Organization Name. This is your company name as recording in the Office 365 account.
$fedbrandName = “<Organization name>”
6. Enter the following command, inserting the Login URL you copied in step 8 of the previous section.
$url = “<SDO Login URL>”
7. Enter the following command, inserting the Issuer URL you copied in step 8 of the previous section.
$uri = “<SDO Issuer URL>”
8. Enter the following command, inserting the Logout URL you copied in step 8 of the previous section.
$logouturl = “<SDO Logout URL>”
9. Enter the following command, inserting the location and name of the .pem file you created in step 13 of the previous section.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 (“<C:\cert.pem>”)
10. Enter the following command, and hit Enter
$certData = [system.convert]::tobase64string($cert.rawdata)
11. Execute the federation of your domain but entering the following command and hitting Enter.
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -FederationBrandName $fedBrandName -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData
12. Verify the new settings with the following command.
Get-MsolDomainFederationSettings -domain $dom | fl
13. In the Control Panel, click the My Services menu from the left-hand menu.
14. Click the Secret Double Octopus vendor band to expand it.
15. Click the Services tab.
16. Click the Edit button for the Microsoft Office 365 Service.
17. Under the Configuration tab, enter the your Intermediary domain.
18. Click the Save button.
The Office 365 Intermediary Domain is now set up for authentication through SDO. Users can log in through SDO by entering their intermediary email alias in any Office 365 username prompt. This will redirect the login to SDO, at which point the user will enter and submit their primary email address.