Configure Single Sign on for Office 365

You can enable users to sign into Office 365 using Secure Web AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.) or WS-Federation.

SWA is a single sign-on method developed by Okta. It stores the end-user credentials using strong encryption combined with a customer-specific private key. When the end-user clicks the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. chiclet, Okta securely signs them in using the encrypted credentials. .

WS-Federation defines mechanisms to transfer identity information using encrypted SOAP messages. It does not require a separate password for Office 365.



Configure Single Sign on using Secure Web Authentication

You can enable users to sign into Office 365 using either SWA or WS-Federation. When possible, use WS-Federation because it is more secure than SWA.

  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select Secure Web Authentication.
  3. Select appropriate option for username and password setup. See About SWA Apps.
  4. Map username format as explained in ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. users, section 3. Map profile attributes Okta → Office 365.
  5. Click Save.


Configure Single Sign on using WS-Federation

There are two ways of configuring WS-Federation: automatic and using PowerShell. You can allow Okta to automatically configure WS-Federation or you can manually configure it using customized PowerShell script provided by Okta. Configuring WS-Federation automatically is recommended because Okta takes care of the back-end procedures.


Configure Single Sign on using WS-Federation - automatic method


  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > Let Okta configure WS-Federation automatically for me.
  3. Enter your Office 365 Global Administrator username and password.

    Your Office 365 Global Administrator username and password for WS-Federation are pre-filled if you have provided them while setting up provisioning.

  4. Click Save.




Ensure your administrator credentials for the Office 365 are NOT in the domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). you are federating.

This will lock you out of the Office 365 domain. You won’t be able to authenticate yourself in Microsoft 365 AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Center as you have to authenticate through Okta, where you will be treated as a user, not as an admin. Ensure you are using administrator credentials for an account that is on your default Office 365 domain. This domain is by default


Configure Single Sign on using WS-Federation - PowerShell method


  1. Go to Office 365 > Sign on > Settings > Edit.
  2. In Sign on Methods, select WS-Federation > I want to configure WS-Federation myself using PowerShell.
  3. Open Setup Instructions for the PowerShell command customized for your domain.
  4. Copy this command for use in PowerShell.

In PowerShell,

  1. Type Connect-MsolService.
  2. Enter your Office 365 Global Administrator username and password.
  3. Enter the copied customized PowerShell command.
  4. Ensure the federation is successful by entering this command:

    Get-MsolDomainFederationSettings -DomainName


Test Single Sign on configuration

  1. Log into Okta as a test user.
  2. Open Office 365 from the end-user dashboard.
  3. Ensure the user is successfully logged in to the Office 365 account.


Previous: Provision users to Office 365

Next: Assign Office 365 to users and groups