Configure Single Sign on for Office 365

You can enable users to sign into Office 365 using one of the following methods:

  • Secure Web Authentication (SWA)
  • WS-Federation - Automatic
  • WS-Federation - Manual

SWA is a single sign-on method developed by Okta. It stores the end-user credentials using strong encryption combined with a customer-specific private key. When the end-user clicks the app, Okta securely signs them in using the encrypted credentials. .

WS-Federation defines mechanisms to transfer identity information using encrypted SOAP messages. It does not require a separate password for Office 365.

Procedures

Configure Single Sign on using Secure Web Authentication

You can enable users to sign into Office 365 using either SWA or WS-Federation. When possible, use WS-Federation because it is more secure than SWA.

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select Secure Web Authentication.
  3. Select the appropriate option for username and password setup. See About SWA Apps.
  4. Map username format as explained in Provisioning users, section 3. Map profile attributes Okta → Office 365.
  5. Click Save.

Configure Single Sign on using WS-Federation

There are two ways of configuring WS-Federation: automatic and using PowerShell. You can allow Okta to automatically configure WS-Federation or you can manually configure it using customized PowerShell script provided by Okta. Configuring WS-Federation automatically is recommended because Okta takes care of the back-end procedures.

Configure Single Sign on using WS-Federation - automatic method

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Automatic.
  3. Enter your Office 365 Administrator Username and Password.
  4. Click Fetch and Select. This displays a list of all Office 365 domains available for federation.
  5. Select domains that you want to federate.
  6. Click Save.

 

Info

Caution

Ensure your administrator credentials for the Office 365 are NOT in the domain you are federating.

This will lock you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 Admin Center as you have to authenticate through Okta, where you will be treated as a user, not as an admin. Ensure you are using administrator credentials for an account that is on your default Office 365 domain. This domain is by default yourtenant.onmicrosoft.com.

Configure Single Sign on using WS-Federation - PowerShell method

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Manual using PowerShell.
  3. Click View Setup Instructions for the PowerShell command customized for your domain.
  4. Copy this command for use in PowerShell.

 

In PowerShell,

  1. Type Connect-MsolService.
  2. Enter your Office 365 Global Administrator username and password.
  3. Enter the copied customized PowerShell command.
  4. Ensure the federation is successful by entering this command:

    Get-MsolDomainFederationSettings -DomainName yourdomain.name

Test Single Sign on configuration

  1. Log into Okta as a test user.
  2. Open Office 365 from the end-user dashboard.
  3. Ensure the user is successfully logged in to the Office 365 account.

Previous: Provision users to Office 365

Next: Assign Office 365 to users and groups