Configure WS-Federation for Office 365
There are two sign-on methods for Microsoft Office 365 available in Okta: Secure Web Authentication (SWA) and WS-Federation (WS-Fed), which is the more secure and preferred method.
- SWA relies on a username and a password for security credentials that can be selected by the end user or assigned by the administrator
- WS-Federation is a specification that defines mechanisms to transfer identity information using encrypted SOAP messages. It adds an additional level of security. WS-Federation does not require a separate password for Office 365; consequently, Okta does not need to sync user passwords when WS-Federation is used.
Warning: Okta removes the domain federation in the following cases:
- If you switch from WS-Federation to SWA
- If you delete the app instance
To set up WS-Federation:
- If Microsoft Office 365 is already set up, select Applications from the Administrator Dashboard, locate and select the Microsoft Office 365 app, and then select the Sign On tab. If you are setting up Microsoft Office 365 for the first time, access the Sign On tab by clicking Next from the General Settings tab.
For SIGN ON METHODS, check the WS-Federation radio button.
Click View Setup Instructions, shown below. They provide recommendations to prepare your domain for federated authentication.
Specify whether you want to:
Configure WS-Federation myself using Powershell.
Let Okta configure WS-Federation automatically for me.
If you select to have Okta configure WS-Federation automatically, enter your Microsoft 365 API Admin Username and Password. The Default Relay State is optional. (The default relay state is the page your users will land on after they successfully log in.)