Microsoft 365

Setting up SAML authentication in Microsoft 365 requires use of Azure Active Directory.

Azure Active Directory Set Up

  1. Go to the Microsoft 365 Admin console and log in with an admin account.
  2. Click on 'Show all' in the sidebar, and then on 'Azure Active Directory'.
    Microsoft 365 - Azure Active Directory
    Microsoft 365 - Azure Active Directory
  3. The Azure Active Directory admin center will show. Click on your company name in the dashboard.
    Microsoft 365 - Azure Active Directory
  4. Click on 'Enterprise applications' in the sidebar.
    Microsoft 365 - Enterprise Applications
  5. Click 'New application', type 'SAML toolkit' in the search, and select 'Azure AD SAML Toolkit'.
    Microsoft 365 - New Application
    Microsoft 365 - Azure AD SAML Toolkit
  6. Set the name to 'SupportPro SAML' and click 'Create'. Wait until the page reloads and the application has been created.
    Microsoft 365 - Azure AD SAML Toolkit
  7. Click on the 'Set up single sign on' and choose the 'SAML' option.
    Microsoft 365 - Set Up Single Sign On
    Microsoft 365 - SAML
  8. Click 'Edit' in the Basic SAML Configuration area. Set the text boxes like shown and set the relevant options as default, replacing the start of the URL with your help desk URL. To use this on the frontend (for users), replace 'operator' with 'frontend'. Click 'Save' once all the fields have been set.
    Microsoft 365 - Basic SAML Configuration
    Microsoft 365 - Basic SAML Configuration
  9. Next click 'Edit' in the User Attributes & Claims area. Delete the existing claims and create new claims like shown. The 'role' claim can be ignored if using on the frontend, and additional claims can be configured as per our documentation.
    Microsoft 365 - User Attributes & Claims
    Microsoft 365 - User Attributes & Claims
  10. Once all that is done, your configuration should look like this:
    Microsoft 365 - SAML Configuration
  11. Finally, click 'Users and groups' in the sidebar, then click 'Add user/group'. Select all users that you would like to be able to login using SAML, leaving the role as 'Default Access', and click 'Assign'.
    Microsoft 365 - Users and Groups
    Microsoft 365 - Users

SupportPro Configuration

  1. Create the file /config/production/saml.php in your SupportPro installation as below. If you wish to use it on the frontend, you can change the file as per our documentation.
  2. Update the 'idp' configuration in config/production/saml.php using the details from the 'Set up Azure AD SAML Toolkit' section:
    Microsoft 365 - SAML Configuration
    • For the entityID value, use the Azure AD Identifier value.
    • For the singleSignOnService value, use the Login URL value.
    • For the singleLogoutService value, use the Logout URL value.
    Microsoft 365 - SAML Signing Certificate
    For the x509cert value, download the Federation Metadata XML and copy the value of the X509Certificate from this file.
  3. Create a signing certificate for SupportPro using openssl: 
    openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout samlcert.key -out samlcert.pem
  4. Update config/production/saml.php:
    • Replace X_PASTE_SUPPORTPro_SIGNING_CERT_HERE with the contents of samlcert.pem
    • Replace X_PASTE_SUPPORTPro_SIGNING_CERT_PKEY_HERE with the contents of samlcert.key
  5. The configuration is complete - verify by logging in with the 'Microsoft 365' button as a user that you assigned earlier to the application.
  6. To force use of SAML over the normal login, change the dualLogin value to false.

Article Number: 247
Author: Jul 22, 2024
Last Updated: Jul 22, 2024

Online URL: https://docs.supportpro.vn/article/microsoft-365-247.html