Configuring Microsoft 365 WS-Federation application in IBM Verify
Configure IBM® Verify as the Identity Provider after you configure Azure Active Directory as a Service Provider.
Before you begin
- You must have administrative permission to complete this task.
- Log in to the IBM Verify administration console.
Procedure
- Select Applications > Applications.
- Select Add application.
- Select Microsoft 365 and select Add application.
- Select the Sign-on tab and specify the following
information:Note: Click the checkbox to disable sign-on.
Settings Description Sign-on method Specifies the sign-on method. Select SAML2.0 as the Sign-on method. Provider ID* Specifies a unique identifier that identifies the provider to its partner provider. Assertion consumer service URL (HTTP-POST) The security token is sent to this service provider endpoint. Leave as default. Federate multiple domains for Microsoft 365 Select this checkbox to federate multiple domains for Microsoft™ 365 and configure multiple Service principal names. IssuerUri suffix This is only applicable when Federate multiple domains for Microsoft 365 is checked. Select an attribute source, its value will be appended in IssuerUri of the token; when (Default) is selected, the default user UPN or email domain will be appended in IssuerUri of the token. - Use digital signatures to establish trust between IBM Security® Verify and the service provider.
Settings Description Sign Assertion Select this checkbox to specify whether IBM Verify signs the security token that is sent to Azure Active Directory. Signature algorithm Specifies the algorithm for signing from the two supported algorithms. Leave as default. Signature Certificate Specifies the certificate that is selected for IBM Verify to sign the security token. Leave as default. - Configure the SAML subject in the SAML assertion to identify the authenticated
user.
Settings Description Name identifier This option configures the SAML subject in the SAML assertion to identify the authenticated user. Leave as default. - Map the known user attributes or other attributes that are to be included in the SAML
assertion.
Settings Description Attribute Name - UPN Specifies the UserPrincipalName attribute. Select from the Attribute source menu to specify the UserPrincipalName attribute.
For more information on the UserPrincipalName attribute, see User Naming Attributes.
Attribute Name - ImmutableID Specifies the ImmutableID attribute. Select from the Attribute source menu to specify the ImmutableId attribute.
- Upload keytab file for Kerberos authentication.
Settings Description Upload keytab file This configuration is only applicable for hybrid Azure Active Directory join. For more information on uploading keytab file, see Configuring Service principal name (SPN) and Keytab file for Kerberos Authentication. - Configure the service principal names (SPNs) for Kerberos authentication.
Settings Description Service principal names This configuration is only applicable for hybrid Azure Active Directory join. For more information on service principal names, see Configuring Service principal name (SPN) and Keytab file for Kerberos Authentication. - Configure the activate requestor profile settings.
Settings Description Default identity provider Specifies the default identity provider as the Cloud Directory. Request rule You can specify a custom rule to transform the username for the active requester profile flows. - Optional: Test your request rule to make sure it works as intended.
- Select an access policy to perform second factor authentication and, optionally, adaptive
access authorization.
Settings Description Access policies - Settings Specifies the access policy for second factor authentication. The adaptive access authorization is optional. By default, the Use default Policy checkbox is selected.
- Click Save.
- Select the Entitlements tab and configure the Access
type.Note: For more information on Entitlements, see Managing application entitlements (by administrator or application owner).
- Click Save.