Microsoft Office 365 Integration

The following sections describe how to deploy and configure DigitalPersona STS with an Microsoft Office 365 Federated Domain, and connection to an on-premise DigitalPersona LDS Server.

Microsoft Active Directory (AD) users will be synchronized to Azure AD via Azure AD Connect, and users will gain access to the enterprise's SaaS applications.

Note: As of July 2023, Microsoft renamed Azure AD to Microsoft Entra ID. These integration instructions and illustrations refer to Azure AD but also apply to Entra ID.
Prerequisites: The following software applications and components must be installed and properly configured prior to beginning integration:

  • Public domain name - This must be the same domain name registered with Office 365 tenant.

  • SSL certificate - Either a wildcard certificate for the public domain name, or one for the specific host name that will be used for STS.

  • Office 365 Tenant - An Office 365 subscription with at least the Pro Plus plan.

  • Administrator Account - An Office 365 Global Administrator account is required in order to change the tenant from Manage mode to Federation mode.

  • Azure Active Directory Sync tool - The AAD Sync tool must be configured to use UPN as the On premise attribute to Azure AD username, and the source Anchor should be objectGUID.

  • DigitalPersona Server - A DigitalPersona LDS Server must be installed and licensed.

  • Users - Users need to be enrolled with the DigitalPersona Server.

  • STS - Pre-configured DigitalPersona STS and all required components for STS. Ensure that you can open the STS Metadata page by navigating to the following URL:

    https://<External_Host_Name>/dppassivests/wsfed/metadata

Configure Federation for the Office 365 Tenant

Important: Federation generally takes between 15 and 90 minutes. During this time access to all Office 365 apps will be unavailable.

  1. On the system which has AAD Sync installed, install the Azure AD PowerShell Module.

    You can download the Azure Active Directory Module for Windows PowerShell (64-bit) from http://go.microsoft.com/fwlink/p/?linkid=236297, and click Run to launch the installer package.

  2. Start a Windows PowerShell session.

  3. Import the MSOnline mode by entering the following cmdlet:

    Import-Module MSOnline

  4. Connect to the online service by executing the following cmdlet:

    Connect-MSolService

  5. Enter the Office 365 administrator username and password.

  6. Verify that the domain name is listed by executing the following cmdlet:

    Get-MsolDomain -domain <domainname>

  7. Convert the domain to a federated domain by executing the Set-MsolDomainAuthentication command.

    To simplify the process and avoid configuration errors you should use the provided PowerShell script, which contains all the required values for the Set-MsolDomainAuthentication command. The script is located at:

    C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS\Integration\Azure Federation - Setup.ps1

    For example:

    Copy 
    PS> Connect-MsolService
    PS> & 'C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS    \
    Integration\Azure Federation - Setup.ps1' -AzureDomainName 'managed-domain.com'

Update the Signing Certificate

After updating the DigitalPersona STS signing certificate, you also need to update it in the Azure Federation setting.

This can be done by executing the Set-MsolDomainFederationSettings command.

The DigitalPersona WMC package contains a PowerShell script which provides all the required values. The script is located at:

C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS\Integration\Azure Federation - Update Certificate.ps1

For example:

Copy 
PS> Connect-MsolService
PS> & 'C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS\
Integration\Azure Federation - Update Certificate.ps1' -AzureDomainName 'manageddomain.com'

Disable Federation

If at some point, it is necessary to turn off the federation and switch back to a Managed domain, you can run the following cmdlet with the option Managed:

Copy 
Set-MsolDomainAuthentication -DomainName <domainname> -Authentication Managed

Troubleshooting

Identity Provider login page doesn't display

  1. If the Identity Provider (STS) login page displays on the server hosting STS, but not externally, the bindings need to be verified on IIS to make sure they contain the correct certificate. The STS certificate needs to be selected.

  2. For troubleshooting any application connectivity issues after federation, you can use the Remote Connectivity Analyzer at https://testconnectivity.microsoft.com.

  3. You should clear out any previous tokens or sessions and start fresh after Federation. For example, sign out of any MS-Office applications and delete user sign-in information from Skype.

Uninstall the Web Management Components

The DigitalPersona Web Management Components can be uninstalled using the Windows Control Panel.

During uninstallation, a dialog displays that allows you to remove any certificates that were created automatically by the DigitalPersona Configuration wizard:

  • If you choose to remove the certificates created by DigitalPersona - when upgrading the Web Management Components, new certificates will have to be created (either automatically or manually) and you will need to update the federation setting to Azure.

  • If you choose to keep the certificates created by DigitalPersona, when upgrading, the saved certificates will be used, and no changes will need to be made.