Export (0) Print
Expand All

Set up a trust between Shibboleth and Azure AD

Published: June 29, 2012

Updated: June 16, 2014

Applies To: Azure, Office 365, Windows Intune

Azure AD domains are federated using the Microsoft Azure Active Directory Module for Windows PowerShell. You will use this topic to run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.

ImportantImportant
Before you can complete the instructions in this topic, you must review and complete the steps in Install Windows PowerShell for single sign-on with Shibboleth.

Each Active Directory domain that you want to federate using Shibboleth must either be added as a single sign-on domain or converted to be a single sign-on domain from a standard domain. Adding or converting a domain sets up a trust between Shibboleth Identity Provider and Azure Active Directory.

The following procedure walks you through how to convert an existing standard domain to a federated domain.

  1. Open the Microsoft Azure Active Directory Module.

  2. Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials.

  3. Run Connect-MsolService –Credential $cred. This cmdlet connects you to Azure AD. Creating a context that connects you to Azure AD is required before running any of the additional cmdlets installed by the tool.

  4. Run the following commands to convert an existing domain (in this example, mail.contoso.com) for single sign on:

    $dom = "mail.contoso.com”
    $url = "https://idp.contoso.com/idp/profile/SAML2/POST/SSO"
    $ecpUrl = "https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP"
    $uri = "https://idp.contoso.com/idp/shibboleth"
    $logouturl = "https://idp.contoso.com/logout/" 
    $cert = "MIIFYzCCBEugAw...2tLRtyN"
    
    Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom -Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
    
    
    noteNote
    You must run $ecpUrl = https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP only if you set up the Shibboleth Identity Provider ECP extension. Though an optional step, it is recommended that you install the Shibboleth Identity Provider ECP extension in order for single sign-on to work with a smart phone, Microsoft Outlook or other clients. For more information, see “Optional: Install the Shibboleth ECP Extension” in Configure Shibboleth for use with single sign-on.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft