Microsoft Education in the Cloud

Read all about the wonderful world of the Microsoft cloud stack and how it applies to education. Your feedback and comments are always welcome. Enjoy!

Update the Live@edu SSO Toolkit to maintain single sign-on access on Office 365 Education

Update the Live@edu SSO Toolkit to maintain single sign-on access on Office 365 Education

  • Comments 3
  • Likes

The Live@edu SSO Toolkit 4.5 Update is supported as an interim solution in Office 365 Education until December 31, 2014 to give you more time to implement federation after the upgrade.

This new update enables the Live@edu SSO Toolkit to continue working before, during, and after the upgrade from Live@edu to Office 365 Education.

Important: It is recommended to install the Live@edu SSO Toolkit 4.5 Update before the Live@edu Upgrade and verify users can still sign in to Live@edu via your web portal.

If you have not applied the Live@edu SSO Toolkit 4.5 Update, the SSO Toolkit will stop working partway through the Live@edu Upgrade .

What is the Live@edu SSO Toolkit

The Live@edu SSO Toolkit allows users to access SkyDrive or Outlook Live from an on-premises web portal without a secondary credential challenge from the Live@edu authentication platform.

A pre-installed security certificate (provided to the school by Microsoft) establishes a trust between the on-premises web portal and the Live@edu authentication platform. This trust relationship delegates user authentication to the on-premises web portal and eliminates the need for the user to provide a password for authentication to Live@edu.


Basic overview of Single Sign-On with Live@edu

  • A user browses to a school’s on-premises web portal, e.g., and provides her/his on-premise username and password.

  • The web portal presents to the user an HTML page containing a “My Mailbox” link.

  • When the authenticated user clicks the "My Mailbox" link, the web portal looks up the user's Microsoft account ID in the on-premises directory service.

  • The on-premises web portal server passes the Microsoft account ID and the pre-installed security certificate to a Microsoft SOAP (Simple Object Access Protocol) service, and a Short-Lived Token (SLT) from Microsoft is received by the on-premises web portal server over SSL.

  • Skip ahead a few steps...Single Sign-On happens.

  • The user transfers seamlessly to her/his SkyDrive or Outlook Live mailbox without being prompted for credentials a second time.

What about PCNS (Live@edu Password Synchronization)?

The Live@edu SSO Toolkit is a Single Sign-On solution for browser clients.

If you are using Live@edu Password Synchronization in combination with the Live@edu SSO Toolkit to allow email rich-clients, smart phones, and other devices to connect to Live@edu, then you may want to investigate password synchronization on Office 365.

For additional information, please see the following resources:

Is Office 365 Password Synchronization a requirement for your Live@edu Upgrade?

Ask for Password Synchronization! Submit feedback to





Thanks for joining us today!

Zion Brewer


  • Followed the instructions to modify the 4.4 version SSO kit to 4.5, and noticed that GetSLT now checks for UseEduSso app setting. It defaults to GetSltFromSsoProxy, and the proxy throws error saying it did not like the certificate. This is the same certificate which is being used on the same machine, for a working 4.4 version kit. When I change app setting UseEduSso to false, the GetSLT method goes to GetSltFromWLID, and user signs in ok, but debugger shows that the SLT returned by GetSLT does not contain the WLID: or O365: prefix, which according to documentation means 4.5 was not successfully installed. Help!!!

  • Great idea, thanks Microsoft for telling us about this when you tell us our Live @ Edu is about to be upgraded to Office 365. If we knew about this then maybe we would have kept the Live@Edu tenant instead of doing the migration ourselves into our own Office 365 tenant.

  • Will the SSO Toolkit 4.5 update function after the domain has been converted to federation? (Convert-MsolDomainToFederated) Just trying in our test environment and looks like if domain has already been converted the SSO Toolkit won't function. So common sense tells me that the domain needs to be Standard authentication in order to function. (Convert-MsolDomainToStandard)?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment