top of page
Blog article

Blog article

Using the YubiOn Portal SSO to Perform a Single Sign-On to Microsoft 365

On March 16, 2022, single sign-on (SSO) functionality was added to the YubiOn Portal, enabling users to log in to their services without being required to perform authentication; this article will cover the new SSO setting procedures for Microsoft 365.



【Prerequisites】

■ Access to Microsoft 365

A “general administrator” account is required.

In this article, the free trial version was used.


In addition, due to Microsoft 365 specifications, the following domains cannot be set as federated domains.

  • Initial domain (xxx.onmicrosoft.com)

  • Primary domain (the domain that is set as the default)

  • Domain already set as the federated domain

Instead, the initial domain was set in the form of xxx.onmicrosoft.com, and a newly created custom domain was configured as the federation domain.


To do this, a DDNS service known as Dynamic DO!.jp was used.


■ YubiOn Portal

  • YubiKey with Yubico OTP function is required.

  • YubiOn Portal is a web portal that allows you to register your YubiKey to the operator.

  • The SSO function must be available in YubiOn Portal with the SSO initial registration completed.

If the [SSO Initial Registration] button is not displayed on the SSO App Settings screen, it has already been registered.




【Preliminary Preparation】

2. Install PowerShell (Microsoft Azure Active Directory module).

Unlike SSO configuration for general services, SSO configuration for Microsoft 365 is done using PowerShell on your PC.



Launch PowerShell from the Start menu and execute the following:


Install-Module MSOnline

Install the module if prompted to do so by your NuGet provider or PSGallery.


After installation, connect to Azure AD for Microsoft 365 subscriptions.


Connect-MsolService

When the login prompt appears, simply log in with your Microsoft 365 account (@xxx.onmicrosoft.com) that has "overall administrator" privileges.



【Step 1】

Set the ImmutableID.

In Microsoft 365, the ImmutableID attribute is used to uniquely identify a user.

In order to perform SSO with YubiOn Portal and Microsoft 365, an ImmutableID must be set for each user.


Ensure that the ImmutableID is not set for the target user as an ImmutableID may already be set depending on how the user was created.


Next, start PowerShell and execute the following

Get-MsolUser -UserPrincipalName "(mail address)" | select UserPrincipalName,ImmutableId

It should look like this:


If ImmutableID is not set as shown above, set it.

ImmutableID cannot be changed once it is set, so it is not desirable to set information that may change in the future (e.g., last name, job title, etc.).

Set-MsolUser -UserPrincipalName "(mail address)" -ImmutableId (arbitrary ImmutableID)

In this example, a dummy email address has been used. However, for operation in company settings, it is advised to choose an ImmutableID carefully by picking something that will not be changed.


Now, run the confirmation command again to make sure it is set correctly.



【Step 2】

Set YubiOn Portal as the Identity Provider (IdP).


In this example, the dummy email address that was set as the ImmutableID will be passed to Microsoft 365 by registering it as a member property.


However, if the employee ID (member ID) or email address registered in YubiOn Portal is set as ImmutableID, proceed to Step 3.


Log in to YubiOn Portal as an administrator and open the "SSO Property Settings" screen.


Open the Property Registration screen from [Property registration] in the upper right corner and register the information to pass ImmutableID from YubiOn Portal to Microsoft 365.

Property key: ms_immutable_id (example)

Remarks: ImmutableID for Microsoft (example)



Next, open the Member Management screen to set ImmutableID for the user performing SSO.


Click on the member performing the SSO to open the Advanced Settings screen and edit the property key created just now.


Register the ImmutableID set in step 1 in the SSO property value.



【Step 3】

Continuing with YubiOn Portal (IdP) settings.


Open the SSO App Settings screen.


Open the Application Registration screen from "Select the App and add" and select "Microsoft 365".

Then "Microsoft 365" will appear in the App list, click on it to enter the settings screen.



Click "Edit settings" under App Settings.


Set the following information on the Edit App settings screen.

 SP login URL: https://login.microsoftonline.com/login.srf

 User ID value: 

 Setting method: Property

Value: ms_immutable_id (member property key registered in step 2)

 Default relay state: (Empty) ※Can be edited by clicking the "Detailed settings" link.



On the other hand, if an employee ID or an e-mail address registered in YubiOn Portal as a member ID is set, the following property information can be used for the user ID value setting.

User ID Value Setting

Setting method: Member information

Setup value: Member ID or e-mail address

Multiple other setting options can be used which are not covered in this article. A domainA domain


Finally, assign SSO options to the required members.


Select a member to perform SSO and click the Register button.



【Step 4】

Configure Microsoft 365 as a Service Provider (SP).


Start PowerShell and execute the following:


Set-MsolDomainAuthentication
-DomainName 
-PassiveLogOnUri 
-IssuerUri 
-SigningCertificate 
-LogOffUri https://es.yubion.com/mypage/ssoAppLogin.html
-PreferredAuthenticationProtocol SAMLP
-Authentication Federated
-SupportsMfa $false
-FederationBrandName YubiOnPortal

In reality, each parameter (-XXX) is preceded by a space.

Domain Name

Domain name created in the above procedure (Preparation 1)

IdP Login URL

​Open the SSO App Settings > Microsoft 365 Settings page of YubiOn Portal and copy


Copy "IdP Login URL" (①).

IdP Entity ID

Open YubiOn Portal's SSO App Settings > Microsoft 365 Settings screen and copy

Copy "IdP Entity ID" (②).

Certificate Contents

Open YubiOn Portal's SSO App Settings > Microsoft 365 Settings screen and download the certificate (③).


Download the certificate (③).


Open the certificate with a text editor and copy the contents.

  •  Exclude "BEGIN CERTIFICATE" and "END CERTIFICATE".

  •  Cut off newlines and make it a one-line string.

  •  If there is an "=" at the end, exclude it (because it is in base64 format with no padding).



Reference



This completes the configuration.


 

【Logging In】

■IdP-Initiated

Login to Microsoft 365 using SSO from the YubiOn Portal


Open the SSO App login screen and click "Microsoft 365".


Microsoft 365 login is a success!



■SP-Initiated

Now, log in using SSO from the Microsoft 365 side.


Click the Sign In button.


This will redirect to the YubiOn Portal login screen, where one can log in through the SSO account.


Microsoft 365 login is a success!



Conclusion

This article introduced YubiOn Portal settings for SSO login to Microsoft 365.


◆Reference sites



Comments


bottom of page