Sign up for Office 365
Learn more about Office 365
I have deployed Office 365 Single Sign-on with Active Directory Federation Services 2.0 in conjunction with directory synchronization. The helpful reference I have used here: http://www.microsoft.com/en-us/download/details.aspx?id=28971. In this document, Microsoft states : Work computer on a corporate network: When users are at work and signed in to the corporate network, single sign-on enables them to access the services in Office 365 without signing in again. However, after doing some tasks, I still can achieve objective as the statement.
My environment has two servers: Federation server and Synchronization server. SSL self-signed certificate is used in Federation server. These severs have already joined to domain.
I have found out some tips on the Internet and done the following:
However, at the first time I open my Office 365 team site, I get directed to https://login.microsoftonline.com/. The username email@example.com is available. I just need to "Sign in at fed.thesoldier.net", and then I get redirected to the Certification Error: Navigation Blocked page, here I have to click Continue to this website (not recommended) and then the Windows credential prompts. Here I type my credential and get directed to Office 365.
The key things I want:
Your recommendations are greatly appreciated.
I understand you have two problems about deploying SSO.
For your first question, you can set up a corporate CA and use Group Policy to make every client trust the certificate.
For you second question, you need to enter the user name. Then Office 365 will redirect to on-premise to authenticate the user without password.
I know that. So that's why I have such a question. What 's wrong with my configuration described above. What do I have to make sure to achieve the goal: "I don't have to type password any time when I already logged to my computer joined to domain."
You add the AD FS service url to the client browser’s Local intranet site list. Then the user only need to type the user name and login page will redirect to the AD FS site to authenticate.
Is there any problem if I add AD FS to Trusted site zone instead of Local intranet zone? I even did add SSL self-signed certificate to root trust authorities group.
The default setting of IE is ‘Automatic logon only in Intranet zone’, so the AD FS site need to be added into the intranet zone list.
How are things going?
If you have any other questions or concerns, please do not hesitate to contact us. It is always our pleasure to be of assistance.