On March 16, 2022, single sign-on (SSO) functionality was added to the YubiOn Portal, enabling users to log in to their services without being required to perform authentication; this article will cover the new SSO setting procedures for Microsoft 365.
【Prerequisites】
■ Access to Microsoft 365
A “general administrator” account is required.
In this article, the free trial version was used.
In addition, due to Microsoft 365 specifications, the following domains cannot be set as federated domains.
Initial domain (xxx.onmicrosoft.com)
Primary domain (the domain that is set as the default)
Domain already set as the federated domain
Instead, the initial domain was set in the form of xxx.onmicrosoft.com, and a newly created custom domain was configured as the federation domain.
To do this, a DDNS service known as Dynamic DO!.jp was used.
■ YubiOn Portal
YubiKey with Yubico OTP function is required.
YubiOn Portal is a web portal that allows you to register your YubiKey to the operator.
The SSO function must be available in YubiOn Portal with the SSO initial registration completed.
If the [SSO Initial Registration] button is not displayed on the SSO App Settings screen, it has already been registered.
【Preliminary Preparation】
1. Add the domain to Microsoft 365.
2. Install PowerShell (Microsoft Azure Active Directory module).
Unlike SSO configuration for general services, SSO configuration for Microsoft 365 is done using PowerShell on your PC.
Launch PowerShell from the Start menu and execute the following:
Install-Module MSOnlineInstall the module if prompted to do so by your NuGet provider or PSGallery.
After installation, connect to Azure AD for Microsoft 365 subscriptions.
Connect-MsolServiceWhen the login prompt appears, simply log in with your Microsoft 365 account (@xxx.onmicrosoft.com) that has "overall administrator" privileges.
【Step 1】
Set the ImmutableID.
In Microsoft 365, the ImmutableID attribute is used to uniquely identify a user.
In order to perform SSO with YubiOn Portal and Microsoft 365, an ImmutableID must be set for each user.
Ensure that the ImmutableID is not set for the target user as an ImmutableID may already be set depending on how the user was created.
Next, start PowerShell and execute the following
Get-MsolUser -UserPrincipalName "(mail address)" | select UserPrincipalName,ImmutableIdIt should look like this:
If ImmutableID is not set as shown above, set it.
ImmutableID cannot be changed once it is set, so it is not desirable to set information that may change in the future (e.g., last name, job title, etc.).
Set-MsolUser -UserPrincipalName "(mail address)" -ImmutableId (arbitrary ImmutableID)In this example, a dummy email address has been used. However, for operation in company settings, it is advised to choose an ImmutableID carefully by picking something that will not be changed.
Now, run the confirmation command again to make sure it is set correctly.
【Step 2】
Set YubiOn Portal as the Identity Provider (IdP).
In this example, the dummy email address that was set as the ImmutableID will be passed to Microsoft 365 by registering it as a member property.
However, if the employee ID (member ID) or email address registered in YubiOn Portal is set as ImmutableID, proceed to Step 3.
Log in to YubiOn Portal as an administrator and open the "SSO Property Settings" screen.
Open the Property Registration screen from [Property registration] in the upper right corner and register the information to pass ImmutableID from YubiOn Portal to Microsoft 365.
Property key: ms_immutable_id (example)
Remarks: ImmutableID for Microsoft (example)
Next, open the Member Management screen to set ImmutableID for the user performing SSO.
Click on the member performing the SSO to open the Advanced Settings screen and edit the property key created just now.
Register the ImmutableID set in step 1 in the SSO property value.
【Step 3】
Continuing with YubiOn Portal (IdP) settings.
Open the SSO App Settings screen.
Open the Application Registration screen from "Select the App and add" and select "Microsoft 365".
Then "Microsoft 365" will appear in the App list, click on it to enter the settings screen.
Click "Edit settings" under App Settings.
Set the following information on the Edit App settings screen.
SP login URL: https://login.microsoftonline.com/login.srf
User ID value:
Setting method: Property
Value: ms_immutable_id (member property key registered in step 2)
Default relay state: (Empty) ※Can be edited by clicking the "Detailed settings" link.
On the other hand, if an employee ID or an e-mail address registered in YubiOn Portal as a member ID is set, the following property information can be used for the user ID value setting.
User ID Value Setting
Setting method: Member information
Setup value: Member ID or e-mail address
Multiple other setting options can be used which are not covered in this article. A domainA domain
Finally, assign SSO options to the required members.
Select a member to perform SSO and click the Register button.
【Step 4】
Configure Microsoft 365 as a Service Provider (SP).
Start PowerShell and execute the following:
Set-MsolDomainAuthentication
-DomainName
-PassiveLogOnUri
-IssuerUri
-SigningCertificate
-LogOffUri https://es.yubion.com/mypage/ssoAppLogin.html
-PreferredAuthenticationProtocol SAMLP
-Authentication Federated
-SupportsMfa $false
-FederationBrandName YubiOnPortal※In reality, each parameter (-XXX) is preceded by a space.
Domain Name | Domain name created in the above procedure (Preparation 1) |
IdP Login URL | Open the SSO App Settings > Microsoft 365 Settings page of YubiOn Portal and copy Copy "IdP Login URL" (①). |
IdP Entity ID | Open YubiOn Portal's SSO App Settings > Microsoft 365 Settings screen and copy Copy "IdP Entity ID" (②). |
Certificate Contents | Open YubiOn Portal's SSO App Settings > Microsoft 365 Settings screen and download the certificate (③). Download the certificate (③). Open the certificate with a text editor and copy the contents.
Reference  |
This completes the configuration.
【Logging In】
■IdP-Initiated
Login to Microsoft 365 using SSO from the YubiOn Portal
Open the SSO App login screen and click "Microsoft 365".
Microsoft 365 login is a success!
■SP-Initiated
Now, log in using SSO from the Microsoft 365 side.
Click the Sign In button.
This will redirect to the YubiOn Portal login screen, where one can log in through the SSO account.
Microsoft 365 login is a success!
Conclusion
This article introduced YubiOn Portal settings for SSO login to Microsoft 365.
◆Reference sites