Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Updated: June 25, 2015
Applies To: Azure, Office 365, Power BI, Windows Intune
Azure AD domains are federated using the Microsoft Azure Active Directory Module for Windows PowerShell. You will use this topic to run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on.
Important
Before you can complete the instructions in this topic, you must review and complete the steps in Install Windows PowerShell for single sign-on with Shibboleth.
Each Active Directory ___domain that you want to federate using Shibboleth must either be added as a single sign-on ___domain or converted to be a single sign-on ___domain from a standard ___domain. Adding or converting a ___domain sets up a trust between Shibboleth Identity Provider and Azure Active Directory.
The following procedure walks you through how to convert an existing standard ___domain to a federated ___domain.
Open the Microsoft Azure Active Directory Module.
Run
$cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials.Run
Connect-MsolService –Credential $cred. This cmdlet connects you to Azure AD. Creating a context that connects you to Azure AD is required before running any of the additional cmdlets installed by the tool.Run the following commands to convert an existing ___domain (in this example, mail.contoso.com) for single sign on:
$dom = "mail.contoso.com” $url = "https://idp.contoso.com/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.contoso.com/idp/profile/SAML2/SOAP/ECP" $uri = "https://idp.contoso.com/idp/shibboleth" $logouturl = "https://idp.contoso.com/logout/" $cert = "MIIFYzCCBEugAw...2tLRtyN" Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLPNote
You must run
$ecpUrl = https://idp.contoso.com/idp/profile/SAML2/SOAP/ECPonly if you set up the Shibboleth Identity Provider ECP extension. Though an optional step, it is recommended that you install the Shibboleth Identity Provider ECP extension in order for single sign-on to work with a smart phone, Microsoft Outlook or other clients. For more information, see “Optional: Install the Shibboleth ECP Extension” in Configure Shibboleth for use with single sign-on.
See Also
Concepts
Install Windows PowerShell for single sign-on with Shibboleth
Use Shibboleth Identity Provider to implement single sign-on