Sunday, July 3, 2011

Office 365 SSO - Using smart links or IdP initiated authentication with Office 365

There is a good wiki page explaining how to set smart links. I followed the same, and was still getting error after redirecting to Office 365. After debugging, I figured out what was going wrong.

As per the wiki page, we need to remove QS parameter “bk”. However, I had to remove one more QS parameter “ct” similar to “bk”. I tried to access the service through the normal way at two different times and traced the requests and figured out what was different at both times. Both times, I found values for “bk” and “ct” to be different. So this means that we need to remove these from the smart link.

If you are programmatically trying to generate the URL, then you should be able to even set the value of the QS parameters dynamically. I think the value is total seconds since 1/1/1970. I haven’t tried out this myself yet. So please use this with caution. C# code snippet which could help in this situation is given below.

TimeSpan t = (DateTime.UtcNow - new DateTime(1970, 1, 1));
int timestamp = (int) t.TotalSeconds;

Office 365 SSO Error - Your organization could not sign you into the service

While configuring SSO for Office 365, I ran into this issue of “Your organization could not sign you into the service”. I looked at the documentation provided here, however there were issues in those commands. However, the help provided there and some other blogs/forums helped me to resolve the problem.

Run the following command to see if the configuration matches between ‘ADFS Server’ and ‘Microsoft Office 365’.

> Get-MsolFederationProperty –DomainName

Initially, I thought everything matches. However, with close inspection, I figured out some minor mismatches (even things like one string doesn’t end with a ‘/’). We need to get everything to match exactly the same to avoid the issue. As per the suggestion, I tried to run the following command to get this fixed.

> Update-MsolFederatedDomain -DomainName –SupportMultipleDomain

Still, I found the ‘FederationServiceIdentifier’ to be different between ADFS Server and O365.

Then I updated the service identifier on ADFS Server, by going to through ‘AD FS 2.0 Management’ in administrative tools.

  • Open ‘AD FS 2.0 Management’
  • Right click and select ‘Edit Federation Service Properties’ from ‘Service’ node under ‘AD FS 2.0’
  • Change the required properties to match what you need. :)