UserLock Documentation
UserLock Documentation

Configure Office 365 for UserLock Single-Sign On

Procedure

Enable Office 365 in UserLock SSO

In the UserLock console, Navigate to Single Sign-On → Configuration.

  1. Select Add configuration, then select Office 365 as the provider to be configured.

NOTE: The SSO service needs to be restarted in order to use this profile

Install and configure Azure AD Connect

Perform a custom installation of Azure AD Connect.

  1. Download Azure AD Connect
  2. Launch Azure AD Connect
  3. On the Express Settings page, select Customize
  4. In the User Sign-In page, select Do not configure
  5. In the Connect Directories section, select your AD domain (contoso.com) and your Azure AD domain

Once setup has completed, Azure AD Connect will synchronize the local users with Azure AD.

NOTE: In Connect to Azure AD, if your Azure AD is already federated, you may need to restart Azure AD Connect with /InteractiveAuth flag

Configure Office 365 for Single Sign-On

Two methods exists to configure Office 365:

Configure SSO with IS Decisions Office 365 tool

  1. Launch the tool

    Search for ‘Office 365 configuration’ in the Start menu and launch the application.


  2. Select the UserLock SSO Server

    From the IS Decisions Office 365 tool, select the UserLock SSO server that will be used to connect to Office 365.


  3. Connect to Microsoft Online

    The tool requires the MSOnline Powershell module. If it is not installed, the tool will attempt installation. When prompted, Please consent and install to continue configuring Office 365 SSO.



    Sign in with Azure AD global administrator credentials.


  4. Set the federation

    Select the domain to federate in the top drop-down list and click the ‘Federate Domain’ button to complete the process:



Configure SSO with Powershell

Run Powershell as an administrator.

  1. Connect to Microsoft Online

    Execute the following command and connect with a domain admin Microsoft Online account:

    Connect-MsolService
  2. Ensure Microsoft Online domain is Managed

    Run the following code to find whether Office your domain is set as Federated or Managed:

    Get-MsolDomain -DomainName federated.domain.name | Select-Object "Authentication"

    If it is set as Federated, you will need to disable federation!

    Set-MsolDomainAuthentication -DomainName contoso.com -Authentication Managed
  3. Obtain the certificate data
    • Navigate to the C:\ProgramData\ISDecisions\UserLock\SSO folder
    • Open the ulsso.cer file with Notepad
    • Copy only the data between the first and last lines. Do not include these lines.
    • In the Powershell window, assign the certificate data to the $certData variable

      $certData = ‘MIICtTCCAZ2gAw……IBAgIIJ5vEidR23KwwDQYJ==’
  4. Set the federation

    Execute the following command to set the authentication for UserLock SSO. Please note that the $certData is used for -SigningCertificate data:

    Set-MsolDomainAuthentication -DomainName contoso.com`
    -Authentication Federated `
    -PassiveLogOnUri https://sso.contoso.com/saml/sso `
    -SigningCertificate $certData `
    -IssuerUri https://sso.contoso.com `
    -PreferredAuthenticationProtocol Samlp `
    -LogOffUri https://sso.contoso.com/connect/endsession

    SSO is now the defined Authentication source of the federated domain.

How to cancel SSO

To cancel SSO, you can either use the IS Decisions tool or Powershell:

  • Using ISDecisions tool, cancel the federation on a federated domain.
  • Using Powershell, executing the following commands:

    Connect-MsolService
    Set-MsolDomainAuthentication -DomainName sso.contoso.com -Authentication Managed