Single sign-on roadmap
Published: April 16, 2012
Updated: June 25, 2015
Applies To: Azure, Office 365, Power BI, Windows Intune
Single sign-on (SSO) allows you and your users to access Microsoft cloud services with your Active Directory corporate credentials. SSO requires both a security token service (STS) infrastructure and Active Directory synchronization.
You must complete the following steps in order to implement SSO:
Step 1: Prepare for single sign-on
Step 2: Set up your on-premises security token service
Step 3: Set up directory synchronization
Step 4: Verify single sign-on
To prepare, you must make sure your environment meets the requirements for SSO and verify that your Active Directory and Azure Active Directory tenant is set up in a way that is compatible with single sign-on requirements. For more information, see Prepare for single sign-on.
After you have prepared your environment for single sign-on, you will need to set up a new on-premises STS infrastructure to provide your local and remote Active Directory users with single sign-on access to the cloud service. If you currently have an STS in your production environment, you can use it for single sign-on deployment rather than setting up a new infrastructure as long as it is supported by Azure AD.
Currently, Azure AD supports either of the following security token services:
Active Directory Federation Services (AD FS)
For more information about how to get started with setting up an AD FS STS, follow the steps provided in Checklist: Use AD FS to implement and manage single sign-on.
Shibboleth Identity Provider
For more information about how to get started with setting up a Shibboleth STS, follow the steps provided in Use Shibboleth Identity Provider to implement single sign-on.
Other third-party identity providers
For more information about how to get started with setting up third-party identity providers for single sign-on, see Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on.
In order for single sign-on to work properly, you must set up Active Directory synchronization as well. This includes preparing for, activating, installing a tool, and verifying directory synchronization. After you have verified directory synchronization, you activate your synced users. Using single sign-on and directory synchronization together ensures that user identities are represented correctly in the cloud service.
For more information about how to get started with setting up directory synchronization, follow the steps provided in Directory synchronization roadmap.
After you finish setting up your Active Directory synchronization environment, you now need to verify that your STS is functioning as expected and that single sign-on was set up correctly for your cloud service.
ConceptsDirSync with Single Sign-On