Set up a trust between Shibboleth and Azure AD
Published: June 29, 2012
Updated: June 16, 2014
Applies To: Azure, Office 365, Windows Intune
Azure AD domains are federated using the Microsoft Azure Active Directory Module for Windows PowerShell. You will use this topic to run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.
|Before you can complete the instructions in this topic, you must review and complete the steps in Install Windows PowerShell for single sign-on with Shibboleth.|
Each Active Directory domain that you want to federate using Shibboleth must either be added as a single sign-on domain or converted to be a single sign-on domain from a standard domain. Adding or converting a domain sets up a trust between Shibboleth Identity Provider and Azure Active Directory.
The following procedure walks you through how to convert an existing standard domain to a federated domain.
Open the Microsoft Azure Active Directory Module.
$cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials.
Connect-MsolService –Credential $cred. This cmdlet connects you to Azure AD. Creating a context that connects you to Azure AD is required before running any of the additional cmdlets installed by the tool.
Run the following commands to convert an existing domain (in this example, mail.contoso.com) for single sign on:
$dom = "mail.contoso.com” $url = "https://idp.contoso.com/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP" $uri = "https://idp.contoso.com/idp/shibboleth" $logouturl = "https://idp.contoso.com/logout/" $cert = "MIIFYzCCBEugAw...2tLRtyN" Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
Note You must run
$ecpUrl = https://idp.contoso.com/idp/profile/SAML2/SOAP/ECPonly if you set up the Shibboleth Identity Provider ECP extension. Though an optional step, it is recommended that you install the Shibboleth Identity Provider ECP extension in order for single sign-on to work with a smart phone, Microsoft Outlook or other clients. For more information, see “Optional: Install the Shibboleth ECP Extension” in Configure Shibboleth for use with single sign-on.