Configure WS-Federation for Office 365
There are two sign-on methods for Microsoft Office 365 available in Okta: Secure Web Authentication (SWA) and WS-Federation (WS-Fed), which is the more secure and preferred method.
- SWA relies on a username and a password for security credentials that can be selected by the end user or assigned by the administrator
- WS-Federation is a specification that defines mechanisms to transfer identity information using encrypted SOAP messages. It adds a level of security. WS-Federation doesn't require a separate password for Office 365. Therefore, Okta doesn't need to sync user passwords when WS-Federation is used.
Okta removes the domain federation in the following cases:
- If you switch from WS-Federation to SWA
- If you delete the app instance
Okta doesn't recommend deleting the app. For manual federation, when the app is removed, the domain won’t be automatically de-federated. Manual de-federation using PowerShell is required. However, with automatic federation, if the app is removed, the domain is de-federated automatically.
To set up WS-Federation complete the following steps:
- If Microsoft Office 365 is already set up, select Applications from the Administrator Dashboard, locate and select the Microsoft Office 365 app, and then select the Sign On tab. If you're setting up Microsoft Office 365 for the first time, access the Sign On tab by clicking Next from the General Settings tab.
-
For SIGN ON METHODS, check the WS-Federation radio button.
-
Click View Setup Instructions, shown below. They provide recommendations to prepare your domain for federated authentication.
-
Specify whether you want to:
-
Configure WS-Federation myself using PowerShell.
-
Let Okta configure WS-Federation automatically for me.
-
-
If you select to have Okta configure WS-Federation automatically, enter your Microsoft Office 365 API Admin Username and Password. The Default Relay State is optional. The default relay state is the page that your users land on after they successfully sign in.
-
Click Save.