Microsoft Office 365 as authentication source

[michzimny]

This is an improvement suggestion collected from external users. Do you have any idea how problematic it could be, and how realistic it is to have it?

[foobarable]

We have yet to look at the authentication protocol they use.

[michzimny]

@foobarable, would you be able to provide, till the next week, a description for a few sentences explaining what could be done on this matter? We're preparing a report on improvement suggestions from users and we need to address this issue anyhow.

[foobarable]

Currently reading about it. It looks like we would need an AD for doing so.

[michzimny]

And AD stands for...? :)

[foobarable]

Active Directory. But I've found some documentation about Azure Directory as OpenIDC provider. Let me check it.

[foobarable]

It's not possible for me to register with my work email at microsoft to do this:

https://docs.microsoft.com/de-de/azure/active-directory/develop/v1-protocols-openid-connect-code

It says just private mail addresses are allowed.

[michzimny]

So shall we create a private email account to be used just for the purposes of AD? And have the password for this account shared with someone else just to not loose the access?

[foobarable]

I created an account but I'm not sure if it will help us. I now have my own Azure AD

[michzimny]

I think it's rather usual in such cases that a service administrator (you as the admin of the SSO) creates such account at IdP to enable the service (our SSO) to work with that IdP...

[foobarable]

Yes, but using an empty AD doesn't help us any bit. Looks like I need some reading.

[foobarable]

Okay, I think we would have to integrate each Office 365 instance to be able for them to authenticate. They would need to create the AD OpenIDC application in their portal. It's one thing to integrate those authentication sources technically, but it will be not so easy from UI perspective.

[michzimny]

Each instance? My understanding is that there is only one Office365 service (SaaS) available. My colleagues are saying that they have once done such Microsoft-based authentication, and everyone with an Office365 user account was able to authenticate.

Are you able to provide any references on this instances-issue?

[michzimny]

My colleagues have also given me the following link. Maybe it helps a bit. https://stackoverflow.com/questions/40088260/create-application-with-authenticates-against-o365-azure-ad-with-openidconnect

[foobarable]

If the up2u infrastructure could provide one aggregated ADFS metadata repository we could include that. Its not a good idea to add each AD manually to the sso.

[michzimny]

I was told that Ms Office 365 accounts can be self-hosted somehow (via the AD?) or used in SaaS model. In the former case, admins have also an option to export local user accoutns to the central instance (https://docs.microsoft.com/en-us/office365/enterprise/office-365-integration).

So, I think we can ignore local AD, and just enable authentication against central Office 365. Then, if local admins permit, any Office 365 user will be able to authenticate this way to Up2U.

[michzimny]

@foobarable, would you be able to investigate feasibility of that approach mentioned in my last comment?