Export (0) Print
Expand All

Use third-party identity providers to implement single sign-on

Updated: June 16, 2014

Applies To: Azure, Office 365, Windows Intune

This topic contains instructions for administrators of a Microsoft cloud service who want to provide their Active Directory users with single sign-on experience by using third-party identity providers as their preferred Security Token Service (STS). Microsoft tested these single sign-on experiences as the integration of a Microsoft cloud service, such as Windows Intune or Office 365, with the following already installed and operational third-party identity providers. Testing is performed as part of the Works with Office 365 – Identity program which is outlined in The Works with Office 365 – Identity program now streamlined.

noteNote
Microsoft tested only the federation functionality of these single sign-on scenarios. Microsoft did not perform any testing of the synchronization, two-factor authentication, etc. components of these single sign-on scenarios.

Use of Sign-in by Alternate ID to UPN is also not tested in this program.

ImportantImportant
Since these are third-party products, Microsoft does not provide support for the deployment, configuration, troubleshooting, best practices, etc. issues and questions regarding these identity providers. For support and questions regarding these identity providers, contact the supported third-parties directly.

These third-party identity providers were tested for interoperability with Microsoft cloud services using WS-Federation and WS-Trust protocols only. Testing did not include using the SAML protocol.

Optimal IDM Virtual Identity Server Federation Services can authenticate users that reside in customers’ on-premises Active Directories.

The following is the scenario support matrix this single sign-on experience:

 

Client Support level Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

Windows integrated authentication

Email-rich clients such as Outlook and ActiveSync

Supported

For more information about client access polices see Limiting Access to Office 365 Services Based on the Location of the Client.

For more information about Optimal IDM Virtual Identity Server Federation Services, see http://go.microsoft.com/fwlink/?LinkID=266318.

PingFederate 6.11 implements the widely used WS Federation identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix this single sign-on experience:

 

Client Support level Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

None (earlier versions must upgrade to 6.11

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about PingFederate 6.11, see http://go.microsoft.com/fwlink/?LinkID=266320. For the PingFederate instructions on how to configure this STS to provide the single sign-on experience to your Active Directory users, see http://go.microsoft.com/fwlink/?LinkID=266321.

PingFederate 7.2 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience:

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

None

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about PingFederate 7.2, see https://www.pingidentity.com/en/products/pingfederate.html. For the PingFederate instructions on how to configure this STS to provide the single sign-on experience to your Active Directory users, see http://documentation.pingidentity.com/display/PF72/PingFederate+7.2.

Centrify helps provide a federated single sign-on experience for Office 365 without the requirement of hosting an on-premises Federation server.

The following is the scenario support matrix this single sign-on experience:

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

None

Email-rich clients such as Outlook and ActiveSync

Supported

Client Access Control is not supported

For more information about Centrify, see http://www.centrify.com/cloud/apps/single-sign-on-for-office-365.asp.

IBM Tivoli Federated Identity Manager 6.2.2 with IBM Security Access Manager for Microsoft Applications 1.4 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

Windows integrated authentication is not supported

Rich client applications such as Lync, Office Subscription, CRM

Supported

Windows integrated authentication is not supported

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about IBM Tivoli Federated Identity Manager, see IBM Security Access Manager for Microsoft Applications.

SecureAuth IdP 7.2.0 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on experience and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

None

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about SecureAuth, see SecureAuth IdP (http://go.microsoft.com/?linkid=9845293).

CA SiteMinder Federation 12.52 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

Integrated Windows Authentication

Rich client applications such as Lync, Office Subscription, CRM

Supported

Integrated Windows Authentication

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about CA SiteMinder, see CA SiteMinder Federation.

RadiantOne Cloud Federation Service (CFS) 3.0 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Supported

Integrated Windows Authentication

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about RadiantOne CFS, see RadiantOne CFS.

Okta implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

Integrated Windows Authentication requires setup of additional web server and Okta application.

Rich client applications such as Lync, Office Subscription, CRM

Supported

Integrated Windows Authentication

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about Okta, see Okta.

OneLogin as tested in May 2014 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

Integrated Windows Authentication

Rich client applications such as Lync, Office Subscription, CRM

Supported

Integrated Windows Authentication

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about OneLogin, see OneLogin.

NetIQ Access Manager 4.0.1 implements the widely used WS Federation/WS-Trust identity standard to provide a single sign-on and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience:

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

Windows integrated authentication is not supported

Rich client applications such as Lync, Office Subscription, CRM

Supported

Windows integrated authentication is not supported

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about NetIQ Access Manager, see NetIQ Access Manager.

The BIG-IP with Access Policy Manager, (APM) BIG-IP ver. 11.3x – 11.5x implements the widely used SAML identity standard to provide a single sign-on experience and attribute exchange framework.

The following is the scenario support matrix for this single sign-on experience: 

 

Client

Support level

Exceptions

Web-based clients such as Exchange Web Access and SharePoint Online

Supported

None

Rich client applications such as Lync, Office Subscription, CRM

Not Supported

Not Supported

Email-rich clients such as Outlook and ActiveSync

Supported

None

For more information about BIGIP Access Policy Manager, see https://f5.com/products/modules/access-policy-manager. For the BIGIP Access Policy Manager instructions on how to configure this STS to provide the single sign-on experience to your Active Directory Users, see https://devcentral.f5.com/wiki/iapp.BIG-IP-APM-as-SAML-2-0-IdP-for-Microsoft-Office-365.ashx.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft