Office 365 Federation - The Multiple Domain Problem

office 365 federationOffice 365 Federation can be a real pain to implement for any organization. Microsoft’s own TechNet website refers to the process as “[seeming] like more trouble than it’s worth”. Office 365 integration becomes even more difficult to manage when multiple domain federation is required, . Historically, Microsoft requires that each domain be federated using specific ‘issuer’ values. With regards to true Single Sign-On, this is far from an ideal solution.

Fortunately, all hope is not lost!

Why Use Multiple Office 365 Domains?

This is a valid question. Most people don’t even realize that multiple domains might be a necessary consideration for Office 365 federation. However, when this scenario rears its head, the necessity can lead to high levels of frustration and sacrifices to usability for the sake of functionality. All of these result in a marked decrease in productivity and user adoption for any environment.

The most obvious scenario where Office 365 federation to multiple domains would be useful is for higher education institutions. Office 365 domains are most often differentiated based on individual user groups. For example: students have a single Office 365 domain while faculty, staff, and administrators have another. The multiple domain problem arises when an institution wants to provide access to these domains from a single point.

Natively, Microsoft does not provide the functionality for multiple domain federation in Office 365. As a result, it is not uncommon to see a website with a unique login portal for each individual domain. While functional, this solution is by no means ideal.

Benefits of Office 365 Federation for Multiple Domains

The primary benefit for solving the Office 365 federation issue with multiple domains is through usability and consistency. End-users become far less frustrated when the process of logging in to Office 365 is streamlined and not particularly annoying to manage.

Additionally, using Office 365 federation for multiple domains provides additional opportunities to streamline things on the IT administration side. Typical solutions to this problem will involve a dedicated Identity Provider (IdP), which improves and simplifies control over various web applications – Office 365 included.

Not only do administrators reap the benefits of improved productivity and a happier user-base, but they are also able to redirect their time and efforts to more necessary and pertinent issues. The use of a properly configured Single Sign-On IdP takes the stress of problems such as Office 365 federation and simplified authentication and replaces it with freedom and peace of mind.

Solving the Problem and Looking Ahead

Recently, Microsoft adjusted the protocols for Office 365 federation. Office 365 now checks the ‘issuer value’ presented in SAML responses for federated SSO. While this change further interrupted many SSO solutions for multiple domains in Office 365, IdP’s such as PortalGuard are now configurable to optionally override the ‘issuer value’ for each SSO Relying Party. With such a configuration in place, organizations from any vertical can integrate multiple domains with Office 365 federation – all without sacrificing the usability inherent in true SSO.

sso user provisioning

Tags: Azure, IT Security, PortalGuard, Dynamic Analysis, office 365, SAML, Single Sign-On (SSO), SSO 101