SecSign ID Plugin: Office 365

2017-01-21 5 minutes to read
Tutorial Index

Two-Factor Authentication for Windows Office 365

Active Directory Federation Services are used for local user management (for example Active Directory or LDAP) in companies for the authentication of web and cloud services (for example Office 365). But with added convenience comes an increase in security threats. Just one insufficiently secured user account is enough to give attackers access to an immense amount of sensitive company data.

So how do you protect cloud access while keeping the authentication simple and compliance high?

Use your local Active Directory for authentication at cloud services and secure access with our SecSign ID on-premise Two-Factor Authentication server.

The authentication is redirected via the Active Directory, secured with the on-premise SecSign ID server. The authentication takes place on the local SecSign ID server.
That way all user can be managed and controlled local in the Active Directory. No sensitive data is ever transmitted to the cloud service.
Try the Login with the ADFS in our test environment.

Office 365 2FA Integration Tutorial

This article gives an overview of securing your Office 365 Login with two-factor authentication. For a detailed tutorial on how to integrate two-factor authentication with your Office 365 Login, have a look at the plugin tutorial.

Overview

Overview and Integration

Introducing SecSign ID for Office 365 logins.

SecSign ID Integration

Please configure your desired integration of the SecSign ID Two Factor Authentication

Choose a system, where you want to add the secure login

Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you

The location to save the assigned SecSign IDs to a user account or the IDM alltogether

System to protect
?
The System you want to protect - Choose a system, where you want to add the secure login
SecSign ID Server location
?
Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you
User account location
?
The system to save the assigned SecSign IDs to a user account or the IDM alltogether
edit the settings to change the integration
Authentication
2FA
2FA blind
2FA no AP
2SA
2SA no AP
2SA blind
OTP
Enrollment
Custom ID
Pattern
IDP Custom Website
Enrollment initiated by SP
Enrollment with IDM
Show Network
Hide Network
Fullscreen
Request Solution
x
The authentication was successful

Protect access with our simple touch authentication and intuitive authentication rules, defined by you.
Compliance can easily be enforced and attacks to your company logins are rendered impossible.
The following video gives an overview on the authentication process. The complex process can easily be integrated in a few simple steps.

Try the secure Two-Factor Authentication for the Office 365 login. You can experience the functionalities in our test environment with your SecSign ID.

Contact us for the plugin
Authentication

Authentication procedure

With the SecSign ID Two-Factor Authentication the user can log in to Office 365 in just one convenient and quick step – without inconvenient and complex codes.
To login the user simply needs to provide user credentials like he is used to, and select the displayed symbol in his mobile app – that’s it. Next level security with minimal complexity.

If required you can choose mobile or Email OTP (one-time passwords) as alternative authentication option.

Enrollment

Enrolling your users for 2FA

With SecSign enrollment of your users is quick and convenient for both the user and the administrator.

You have several options to enroll your users for 2FA with SecSign. Most commonly, the 2FA ID should be identical to the Windows user name (for example sAMAccountName or userPrincipalName), and only successfully authenticated (user name and password) users should be able to create a 2FA account.
SecSign offers several options to achieve a default 2FA activation and link of the 2FA with the AD user. The two most popular are described below.

With Schema Extension to add a 2FA attribute to the user in the Active Directory, or without Schema Extension and read-only access from the SecSign ID Server.

For both options the enrollment procedure can either proceed via the Custom ID App or a custom landing page for the users to enroll.

Enrolling your users for 2FA with a custom app
Enrolling your users for 2FA with a custom landing page

An overview on how the Active Directory can be integrated with you 2FA setup is available here.

Installation

Installation of the 2FA Plugin

All Windows Plugins are available as a MSI for a convenient and quick install

Common steps for the integration with Microsoft Office 365 are explained here:

1 On the Windows Server run the Server Manager, Add Roles and Features. Please check the following options additionally to those selected per default already:

  1. Server roles:
    • Active Directory Domain Services
    • Active Directory Federation Services
    • Web Server (IIS)
  2. Features:
    • .NET Framework 4.5 (4.6 on Windows Server 2016) Features
      • ASP.NET 4.5
  3. Role services for Web Server (IIS)
    • Application Development
      • ASP.NET 4.5 (4.6 on Windows Server 2016)

2 Promote the server to a domain controller if not done already.

3 Install a recent Oracle Java run time enviroment from: https://java.com/

4 Add the SecSign ID user attribute to the Active Directory: https://www.secsign.com/two-factor-authentication-in-active-directory/

5 Import a certificate for HTTPS on the Windows Server.

  • Copy your private key and https certificate bundled in a p12 file (pfx) to the server and double-click it.
  • Select “Local Machine” as store location.
  • Confirm the suggested options and confirm to install the certificate.

6 Install the imported certificate for HTTPS at the Web Server (IIS).

  • Click the Windows start menu and then click “Windows Administrative Tools”.
  • Double-click the Internet Information Services (IIS) Manager.
  • Right-click the web site in the list on the left side.
  • Select Edit Bindings.
  • Add “https” and select the TLS (SSL) certificate.

7 Sign up for a free trial (or a paid subscription) of Microsoft Office 365 at: https://products.office.com/en-us/business/office-365-business-premium

  • Go to the Office 365 Admin center at: https://portal.office.com/adminportal/home#/homepage
  • Add a Domain.
  • Software installation (like Microsoft Word) and e-mail address migration are not required to set up the SecSign ID federation.
  • Select “I’ll manage my own DNS records.”
  • None of the DNS entries suggested by Microsoft are required just to set up the SecSign ID federation. Select “Exit and continue later”.

8 Install “Microsoft Azure Active Directory Connect” from: http://www.microsoft.com/en-us/download/details.aspx?id=47594

  • Use customized settings.
  • Do not check anything at “Install required components”.
  • In “User sign-in” select: “Federation with AD FS”.
  • In “Connect to Azure AD” enter your credentials from the Office 365 sign-up.
  • In “Connect your directories” select your forest and enter your Windows administrator credentials.
  • In “Azure AD sign-in configuration” select “userPrincipalName”.
  • In “Domain and OU filtering” select “Sync all domains and OUs”.
  • In “Uniquely identifying your users” select that “Users are represented only once across all directories” and select objectGUID as source anchor.
  • In “Filter users and devices” select “Synchronize all users and devices”.
  • Do not select any optional features.
  • In “AD FS Farm” load your private key and certificate from a p12 file (pfx) and select a subject name. This must be a host name in the public DNS pointing to this server.
  • In “AD FS Servers” select your Windows Server.
  • Skip the installation of a Web application proxy server.
  • Enter you Domain administrator credentials in the next dialog.
  • Enter the same credentials again in “AD FS service account”.
  • Select your Azure AD domain.
  • Select to start the synchronization process, do not select staging and click “Install”.
  • Create the necessary DNS entries or just exit and do it later as needed.

9 Install “Active Directory module for Windows Powershell”. (On a domain controller this is installed already.)

  • Run the Server Manager and open the “Add Roles and Features Wizard”.
  • In the “Features” dialog unfold: Remote Server Administration Tools, Role Administration Tools and select: Active Directory module for Windows Powershell

10 Install “Azure Active Directory Connection” from: http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185 and download & install AdministrationConfig-V1.1.166.0-GA.msi

11 Install SecSign ID Federation SAML generator.

  • Run SecSign-ID-Federation-SAML-Generator-Setup.exe.
  • Copy the pfx or p12 file containing your SAML response signing key to the folder FederatedSecSignID
  • Run regedit.exe and open the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\SecSign\ADFS
  • Edit the value of SamlResponseSigningKeyPassword and type the password of your SAML response signing key.
  • Edit the value of SamlResponseSigningKeyFile to the path and file name of your SAML response signing key.
  • Edit the values of SecSignIDServerHostName and SecSignIDServerPort to match your SecSign ID Server.
  • Edit the values of FallbackSecSignIDServerHostName and FallbackSecSignIDServerPort to match your fallback SecSign ID Server.
    If you do not have a fallback server then please leave ‘-‘ as the value of FallbackSecSignIDServerHostName.
  • Edit the value of ServiceNameForSecSignApp. This description of the service will be displayed in the SecSign App during the log-in.

12 Configure the federation properties by running these commands in a Powershell:

  • Extract your SAML signing certificate from a p12 file (pfx):
    Get-PfxCertificate -FilePath .p12 | Export-Certificate -FilePath secsign.cer
  • Base64 encode the certificate by running this command in a PowerShell window:
    $SECSIGNSAMLSIGNCERT = [convert]::ToBase64String((get-content secsign.cer -encoding byte))
  • Enter your credentials for the Microsoft Office 365 admin web site: connect-MsolService
  • Turn off federation temporarily to make sure that the following command will actually upload your SAML signing certificate:
    Set-MsolDomainAuthentication -DomainName -Authentication Managed
  • Set the federation settings of your domain in Microsoft Azure:

    $Domain = “
    $ActiveLogOnUri = “https:///adfs/services/trust/2005/usernamemixed”
    $FederationBrandName = “SecSign”
    $IssuerUri = “https:///FederatedSecSignID/SecSignIDLogin.aspx”
    $LogOffUri = “https:///adfs/ls/”
    $MetadataExchangeUri = “https:///adfs/services/trust/mex”
    $PassiveLogOnUri = “https:///FederatedSecSignID/SecSignIDLogin.aspx”

    Set-MsolDomainAuthentication –DomainName $Domain -IssuerUri $IssuerUri -LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri -ActiveLogOnUri $ActiveLogOnUri -FederationBrandName $FederationBrandName -MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $SECSIGNSAMLSIGNCERT -Authentication Federated

  • Should you ever need to remove users of an already removed test domain from Azure and the Office 365 admin panel doesn’t allow you to do so you may use:

    Remove-MsolUser –UserPrincipalName

    More details here:
    https://support.microsoft.com/en-us/kb/2709902

Secure Windows

Securing all Windows access points with SecSign ID 2FA

For more information about the individual Windows Plugins select your user case below.



AD/LDAPView Tutorial


Windows User Login View Tutorial


Office 365 View Tutorial


Remote Desktop View Tutorial


RD Gateway View Tutorial


VPN/Radius Proxy View Tutorial

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

SecSign ID Server passed FIDO Certification

We are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...

Mehr Lesen

Two-Factor Authentication with Fido2 / WebAuth

The FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...

Mehr Lesen

Protecting the Home Office VPN with 2FA

In the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...

Mehr Lesen
SecSign 2FA