Office 365 Federated Authentication with WSO2 Identity Server using OpenID Connect

Published in

WSO2 Solution Architecture Team Blog

7 min readMay 2, 2019

In this scenario, we are going to try to login to a third party application using Office 365. Here WSO2 Identity Server is going to be our Identity Provider.

A big big thank goes to Dinali Rosemin Dabarera for help and patience while this article was built.

Use case

We need to secure web application and assure single sign-on feature while users are stored in federated user sore, in our case they are in Azure Active Directory.

Idea is to use Authentication hub that can provide federated authentication, like WSO2 Identity Access Manager (IAM).

For Office 365 Federated authentication we will need an Office 365 application. You’ll have to follow the below steps to create an Office 365 application.

Azure Setup

Go to Azure portal and click on Azure Active Directory in the left menu.

It will bring up the DefaultDirectory-Overview section where you can register a new application by clicking on New Registration

New registration setup

In Register an application registration fill the following

Name: newApp
Select Supported account types (the third option will give you the option to cover all organization directory and any personal Microsoft accounts)
Redirect URI: https://localhost:9443/commonauth

Finally, click on Register

Once you will register, you will be redirected to an Overview of your created application where you can find the client_id to create the Office 365 as the IDP in WSO2 Identity Server.

In order to get the secret select Certificates & secrets in section and click on new client secret.

In Add a client secret pop up select preferred duration and click Add

NOTE: In Clients secret section you will see newly created secret with the provided description

NOTE: Once you leave this section the secret will be hidden and you cannot retrieve it, so be sure to save it immediately

API permission

By default the Microsoft Graph’s User.Read permission will be selected. Other permission can be added by clicking on Add a permission that will bring up section to choose specific API.

Once when you select API you can select delegated permission or Application permission that will bring different set permissions.

We can leave default for the purpose of federation authentication

Grant consent

In Grant consent click on Granting admin consent to grant all permissions.

Configure Manifest setup of the Application

In manifest edit groupMembershipClaims with possible values (All, SecurityGroup or none).To receive groups info in claims you need to choose All (to receive all groups) or SecurityGroup(to receive only security groups.

NOTE: if you leave the deafault value for groupMembershipClaims (which is “” — blank character), no group information will be propagated in a claim!

With all these configurations, we are good with Office365 side configurations. Now we have to move to WSO2 Identity Server side configurations.

WSO2 setup

Configure Office365 as an Identity Provider

In WSO2 Identity Service on the left side, menu choose IdentityProvides → Add option to bring Add New Identity Provider section.

Basic Information section

In Basic Information section only the name is mandatory, so give some unique name

Identity Provider Name: office365OpenID

Federated Authenticators section

In Federated Authenticator, section choose OAuth2/OpenID connect Configuration

Populate with following

Enable OAuth2/OpenIDConnect Authenticator by clicking on the tick.
Client Id : d424e6d7-a43e-430b-b3b6–123d9a******
(value copied from Azure application, see New client secret setup)
Client Secret: 5v6NC?.Dq=Nz=4lKZduZ3blY4uf*****
(value copied from Azure application, see New client secret setup)
Authorization Endpoint URL: https://login.microsoftonline.com/common/oauth2/authorize
Token Endpoint URL: https://login.microsoftonline.com/common/oauth2/token
Callback Url: https://localhost:9443/commonauth
Additional Query Parameters : scope=openid

Claim mapping

In Claim Configuration section setup userprincipal as a user id claim URI

Rolle mapping

In Rolle Configuration section setup role mapping that you want to be defined to the federated user during the provisioning in the user store

User groups that are coming from AD don’t have names in claims only GUID. These are all you have to do to create an office365 as IDP.

Configure your Third-party application as a Service Provider and link Office365 as the Federated IDP

To set up this section you will need the application to be deployed and reachable.
You can follow the Quick Start Guide so setup sample application (https://docs.wso2.com/display/IS570/Quick+Start+Guide) — choose Scenario2

In WSO2 Identity Service on the left side menu choose Service Provides → Add option to bring Add New Service Provider section.

Provide a unique name and click on Register.

2. Inbound Authentication Configuration Section

Choose Oauth/OpenID Connect Configuration and click on Configure

Populate callback URL and choose JWT token, rest leave with default values

Callback Url: http://localhost.com:8080/pickup-manager/oauth2client

And for token Issuer choose: JWT

Click on Update

3. Claim configuration- In order to get user details in to the third party application you need to configure all the claims as requested claim. If you have any mandatory ones you can click on mandatory as well, but make sure that they are coming from the Office365 side.

4. Local & Outbound Authentication Configuration

In the case of the simple federated option, you can choose Federated Authentication and select office365OpenID

Now we are done with the setup configurations. We are now good to test the flow.

Test workflow

Here I chose a third party app called pickup-manager in WSO2 Identity server samples. You can flow this blog to set up such a sample.

In browser type location of a deployed sample application that is secured by IS (in our case it is openID manager application)[PickUp Manager Login]

When you click on LOGIN application will be redirected to provide office365 credentials

Once when you successfully log you will be redirected back to the application

Multi-step authentication if needed.

In case of multi-step authentication, you can edit Local & Outbound Authentication Configuration section in service provide setup and choose the Advanced configuration where you can define different steps like in the picture

After configuring this you can try the same flow then you should be able to see the Identity Server login page first. Then once you successfully log in with that you will be redirected to the office 365 to log in again with Office 365.

Hope you enjoy my first blog!