.png)
Single sign-on roadmap
Published: April 16, 2012
Updated: February 28, 2013
Applies To: Office 365, Windows Intune
 Note |
|---|
| This topic provides online help content that is applicable to multiple Microsoft cloud services, including Windows Intune and Office 365. |
Single sign-on (SSO) allows you and your users to access Microsoft cloud services with your Active Directory corporate credentials. SSO requires both a security token service (STS) infrastructure and Active Directory synchronization. The following diagram illustrates how your on-premises Active Directory and your STS server farm interact with the Windows Azure Active Directory identity platform to provide access to one or more Microsoft cloud services. When you set up single sign-on, you establish a federated trust between your STS and the Windows Azure AD authentication system. Local Active Directory users obtain authentication tokens from your on-premises STS that redirect the users’ requests through the federated trust. This allows your users to seamlessly access the Microsoft cloud services you’ve subscribed to without needing to sign in with different credentials.
You must complete the following steps in order to implement SSO:
-
Step 1: Prepare for single sign-on
-
Step 2: Set up your on-premises security token service
-
Step 3: Set up directory synchronization
-
Step 4: Verify single sign-on
Step 1: Prepare for single sign-on
To prepare, you must make sure your environment meets the requirements for SSO and verify that your Active Directory and Windows Azure Active Directory tenant is set up in a way that is compatible with single sign-on requirements. For more information, see Prepare for single sign-on.
Step 2: Set up your on-premises security token service
After you have prepared your environment for single sign-on, you will need to set up a new on-premises STS infrastructure to provide your local and remote Active Directory users with single sign-on access to the cloud service. If you currently have an STS in your production environment, you can use it for single sign-on deployment rather than setting up a new infrastructure as long as it is supported by Windows Azure AD.
Currently, Windows Azure AD supports either of the following security token services:
-
Active Directory Federation Services (AD FS)
For more information about how to get started with setting up an AD FS STS, follow the steps provided in Checklist: Use AD FS to implement and manage single sign-on. -
Shibboleth Identity Provider
For more information about how to get started with setting up a Shibboleth STS, follow the steps provided in Use Shibboleth Identity Provider to implement single sign-on. -
Other third-party identity providers
For more information about how to get started with setting up third-party identity providers for single sign-on, see Use third-party identity providers to implement single sign-on.
Step 3: Set up directory synchronization
In order for single sign-on to work properly, you must set up Active Directory synchronization as well. This includes preparing for, activating, installing a tool, and verifying directory synchronization. After you have verified directory synchronization, you activate your synced users. Using single sign-on and directory synchronization together ensures that user identities are represented correctly in the cloud service.
For more information about how to get started with setting up directory synchronization, follow the steps provided in Directory synchronization roadmap.
Step 4: Verify single sign-on
After you finish setting up your Active Directory synchronization environment, you now need to verify that your STS is functioning as expected and that single sign-on was set up correctly for your cloud service.
For more information, see either Verify and manage single sign-on with AD FS or Verify single sign-on with Shibboleth, depending on the STS type you are setting up.
See Also
