Set up a trust between Shibboleth and Windows Azure AD
Published: June 29, 2012
Updated: January 27, 2014
Windows Azure AD domains are federated using the Windows Azure Active Directory Module for Windows PowerShell. You will use this topic to run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.
|Before you can complete the instructions in this topic, you must review and complete the steps in Install Windows PowerShell for single sign-on with Shibboleth.|
Each Active Directory domain that you want to federate using Shibboleth must either be added as a single sign-on domain or converted to be a single sign-on domain from a standard domain. Adding or converting a domain sets up a trust between Shibboleth Identity Provider and Windows Azure Active Directory.
The following procedure walks you through how to convert an existing standard domain to a federated domain.
Open the Windows Azure Active Directory Module.
$cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials.
Connect-MsolService –Credential $cred. This cmdlet connects you to Windows Azure AD. Creating a context that connects you to Windows Azure AD is required before running any of the additional cmdlets installed by the tool.
Run the following commands to convert an existing domain (in this example, mail.contoso.com) for single sign on:
$dom = "mail.contoso.com” $url = "https://idp.contoso.com/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP" $uri = "https://idp.contoso.com/idp/shibboleth" $logouturl = "https://idp.contoso.com/logout/" $cert = "MIIFYzCCBEugAw...2tLRtyN" Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
Note You must run
$ecpUrl = https://idp.contoso.com/idp/profile/SAML2/SOAP/ECPonly if you set up the Shibboleth Identity Provider ECP extension. Though an optional step, it is recommended that you install the Shibboleth Identity Provider ECP extension in order for single sign-on to work with a smart phone, Microsoft Outlook or other clients. For more information, see “Optional: Install the Shibboleth ECP Extension” in Configure Shibboleth for use with single sign-on.