Single Sign On works in Office 365 through the Active Directory Federation Services (AD FS). The AD FS is synchronized with the Office 365 environment through the Directory Synchronization process to enable Users to logon to Office 365 seamlessly. Microsoft’s Directory Synchronization Server is used to sync corporate User accounts with the Office 365 environment. This automatically duplicates the corporate Active Directory’s Users and Accounts, in Microsoft’s Active Directory located in its servers. Thus a corporate User can log into the Office 365 account using the same credentials.
AD FS version 2.0 is required to use Single Sign On with the Office 365. The AD FS servers must always be running in a fail-safe configuration. This is extremely necessary as without these servers, Users will not be able to use Office 365 services. Standalone AD FS servers are a strict no when there are a large number of Users who regularly use Office 365. An AD FS Farm is necessary with Primary and Secondary AD FS Servers running to be continuously able to process the login requests. Digital Certificates are required to work with AD FS which necessitates the setting up of such certificate infrastructure.
The User logging into Office 365 is prompted for a service token for gaining access to the requested services. At this point the User is directed to Microsoft’s Federation Gateway, from where he is redirected to the corporate AD FS server. Since the User has already been authenticated by the corporate’s Active Directory, the cached credentials in the User’s computer are sufficient to validate the User in the AD FS Server.
The AD FS Server proceeds to retrieve the User’s User Principle Name (UPN). This is embedded into an Encrypted Login Token which can only be decrypted by the Microsoft’s Federation Gateway Server. The Gateway Server in turn issues a Signed Service Token to the User’s request which is accepted by Online Servers. Following this, the User is granted access to the services mentioned within the token.
The Office 365 User Single Sign On process is lengthy and complicated with various steps involved and requires dedicated servers running all the time. This also necessitates the setting up of complex hardware for login support. However smaller organizations that can’t afford to setup up dedicated AD FS Servers can make the use of the DirSync tool to sync the corporate Active Directory Users to the Azure Active Directory. This can negate the need for dedicated AD FS Servers.
