Figure 1 |
To enable SSO you need the following items.
- Properly configured ADFS or Active Directory Federated Services Environment
- Office 365 domain with verified Public Domain i.e. domain.edu
- Follow instructions from a blog like this to enable SSO
If you have completed these steps, you should be able verify the ADFS setup by visiting the URL https://adfs.domain.com/adfs/ls/IdpInitiatedSignon.aspx from a variety of places both internal and external clients.
To test Single Sign-On for Office 365 go to https://portal.microsoftonline.com. You should try to login with username@domain.com and it will change your to a page similar to Figure 1. When you click on the Sign in at domain.com link, it should redirect to your ADFS environment and either login you in automatically or prompt for credentials based on configuration, current user credentials, and browser.
If you enter your credentials and receive the following error, "Your organization could not sign you into this service" as shown in the image, the solution is most likely related to the UPN that is currently configured in Active Directory. The UPN for the user that is attempting to login needs to match that user's UPN in AD. This is typically an issue when you are using a private internal domain name such as domain.local.
Solution
First you need to add the UPN if it doesn't currently exists in AD.
- Open Active Directory Domains and Trusts
- Right click on the top item Active Directory Domains and Trusts and choose Properties.
- Add your alternate UPN public UPN suffix. i.e. domain.com
- Open the properties of the user you are testing.
- Go to the Account tab.
- Under User logon name: change the drop down item to the new @domain.com name.
WARNING: This may affect other things if you have people using the private UPN to login elsewhere, so be careful.
No comments:
Post a Comment