Secure Your WorkforceSecure Your CustomersAPI ReferenceEnd User GuideSupport

Office 365 with AD FS

Overview

This guide covers the configuration of a HYPR for Office 365 tenant that is federated with Active Directory Federation Services (AD FS). HYPR enables true passwordless authentication for Office 365.

Pre-Requisites

You must have the following items deployed and available for the configuration of HYPR with AD FS for Office 365 for your users:

  1. Have a licensed Office 365 tenant.

  2. Have an Active Directory domain synchronized with Office 365. Instructions for deploying directory sync can be found at:
    Set up directory synchronization for Office 365 | Microsoft Docs

  3. Have AD FS version 3.0+ deployed.

  4. Have Office 365 configured to be federated with AD FS. Deployment steps for this integration can be found at:
    Step-by-Step: Setting up AD FS and Enabling Single Sign-On to Office 365

  5. Have a hosted or on-premises deployment of HYPR. The HYPR team will provide a SAML metadata file for your deployment.

Configuration Steps

Start by navigating to your AD FS Management Console.

1680

HYPR Configuration

  1. Within the left-hand column navigate to 'AD FS / Trust Relationships / Claims Provider Trusts'

  2. Once in the Claim Provider Trust menu, select 'Add Claims Provider Trust...' from the right-hand column.

1680

  1. The 'Add Claims Provider Trust Wizard' will launch, which will allow you to setup HYPR as a Claim Provider for AD FS. On the left of the Wizard you will see which step you are on. No configuration is required in the Welcome' step. Select 'Next' at the bottom.

  2. During the 'Select Data Source' step you will need to upload the HYPR IdP SAML metadata, which was provided by the HYPR team. Select the 'Browse...' option and navigate to the metadata file. Once selected, select 'Next' at the bottom.

730
  1. During the 'Specify Display Name' step you will need to input a name for the HYPR SAML Claim Provider in AD FS. This and the notes will allow your team to identify that this configuration was created for HYPR.
730

  1. During the 'Ready to Add Trust' step there is no configuration required. Select 'Next' at the bottom.

  2. During the 'Finish' step, confirm that the 'Open Claim Rules' checkbox is checked. Click 'Close' at the bottom to continue.

730
  1. The 'Edit Claim Rules' window will open once the Claim Provider Wizard is finished. This will be empty to start. Select 'Add Rule...' to begin the process of adding a rule.
510
  1. During the 'Choose Rule Type' step, use the drop-down selection to choose 'Transform an Incoming Claim'. Select 'Next' to continue.
730
  1. During the 'Configure Claim Rule' step, start by naming the claim rule. The example shows Name ID to UPN as the name to easily identify the purpose of the rule.
  • In the 'Incoming claim type:' field select 'Name ID'
  • In the 'Incoming name ID format:' leave the selection as 'Unspecified'
  • In the 'Outgoing claim type:' select 'UPN'

Select 'Finish' to add the new Claim Rule.

730

Office 365 Configuration

  1. Within the left-hand column, navigate to 'AD FS / Trust Relationships / Reyling Party Trusts'

  2. You will see a relying party with the display name 'Microsoft Office 365 Identity Platform'. Right-click this relying party and select 'Edit Claim Rules...'.

1680
  1. The Edit Claim Rules window will open for the Relying Party Settings of Office 365. Select 'Add Rule...' to begin the process of adding the rule required for HYPR.
510
  1. During the 'Choose Rule Type' step of the Claim Rule Wizard, select 'Send Claims Using a Custom Rule' from the drop-down menu. Select 'Next' to continue.
730
  1. During the 'Configure Claim Rule' step, start by naming the claim rule. The example shows HYPR - O365 Claim as the name to easily identify the purpose of the rule.

Copy the following into the 'Custom Rule:' section:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "userPrincipalName={0};userPrincipalName,objectGUID;DOMAIN.COM\Username", param = c.Value);

Ensure that you modify the following values from the 'DOMAIN.COM\Username' portion of the copied custom rule:

  • Replace 'DOMAIN.COM' with the domain of your Active Directory / Office 365 Tenant
  • Replace 'Username' with the service account utilized by AD FS

Select 'Finish' when you are ready to proceed.

730
  1. To finish this process select 'OK'.
510

Updated 12 months ago