HYPR Office 365 with AD FS Configuration


Configure HYPR as a Security Assertion Markup Language (SAML) Identity Provider (IdP) for an Office 365 tenant that is federated with Active Directory (AD) Federation Services (FS). HYPR enables True Passwordless authentication for Office 365.


You must have the following items deployed and available for the configuration of HYPR with AD FS for Office 365:

  1. Have a licensed Office 365 tenant.

  2. Have an AD domain synchronized with Office 365. Instructions for deploying directory sync can be found at:
    Set up directory synchronization for Office 365 | Microsoft Docs.

  3. Have AD FS 3.0+ deployed.

  4. Have Office 365 configured to be federated with AD FS. Deployment steps for this integration can be found at:
    Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.

  5. Have a hosted or on-premises deployment of HYPR. The HYPR team will provide a SAML metadata file for your deployment.

AD FS Configuration

  1. Navigate to the AD FS management console.
  1. In the tree in the left pane, navigate to AD FS > Trust Relationships > Claims Provider Trusts.

  2. Once in the Claim Provider Trust menu, select Add Claims Provider Trust... from the right pane.

  1. The Add Claims Provider Trust Wizard will launch, which will allow you to setup HYPR as a Claim Provider for AD FS. On the left is your progress listed in steps. No configuration is required in the Welcome step. Click Next at the bottom.

  2. During the Select Data Source step you must upload the HYPR IdP SAML metadata provided by the HYPR team. Select the Browse... option and navigate to the metadata file. Click Next.

  1. During the Specify Display Name step you must input a name for the HYPR SAML Claim Provider in AD FS. This and the Notes field will allow your team to identify that this configuration was created for HYPR.
  1. During the Ready to Add Trust step there is no configuration required. Click Next.

  2. During the Finish step, confirm that the Open Claim Rules checkbox is checked. Click Close.

  1. The Edit Claim Rules window will open once the Claim Provider Wizard is finished. This will be empty to start. Click Add Rule... to begin the process of adding a rule.
  1. During the Choose Rule Type step, use the drop-down selection to choose Transform an Incoming Claim. Click Next.
  1. During the Configure Claim Rule step, fill the fields using the values provided here:
  • Claim rule name: A name to easily identify the purpose of the rule.
  • Incoming claim type: Name ID
  • Incoming name ID format: Unspecified
  • Outgoing claim type: UPN
  1. Click Finish to add the new Claim Rule.

Office 365 Configuration

  1. In the tree at left, navigate to AD FS > Trust Relationships > Reyling Party Trusts.

  2. You will see a relying party with the display name Microsoft Office 365 Identity Platform. Right-click this relying party and select Edit Claim Rules....

  1. The Edit Claim Rules dialog will open for the Relying Party Settings of Office 365. Click Add Rule... to begin the process of adding the rule required for HYPR.
  1. During the Choose Rule Type step, select Send Claims Using a Custom Rule from the drop-down menu. Click *Next.
  1. During the Configure Claim Rule step, name the claim rule. The example shows "HYPR - O365 Claim" as the name to easily identify the purpose of the rule.

  2. Copy the following into the Custom Rule: section:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "userPrincipalName={0};userPrincipalName,objectGUID;DOMAIN.COM\Username", param = c.Value);
  1. Modify the following values from the DOMAIN.COM\Username portion of the copied custom rule:
  • Replace DOMAIN.COM with the domain of your Active Directory / Office 365 Tenant
  • Replace Username with the service account utilized by ADFS

8 Click Finish.

  1. Click OK.