** Update October 8, 2014 **
Please check the Office 365 Message Center for the most recent information on support for the Live@edu SSO Toolkit 4.5 Update in Office 365.
The Message Center, inside the Office 365 admin center, is the best way to stay informed about updates to your Office 365 service. The Message Center provides information tailored to your specific configuration, including alerts about actions you need to take to keep your service running smoothly. Learn more.
** end update **
The Live@edu SSO Toolkit 4.5 Update is an interim solution in Office 365 Education to give you more time to implement federation after the upgrade.
This update enables the Live@edu SSO Toolkit to continue working before, during, and after the upgrade from Live@edu to Office 365 Education.
Important: It is recommended to install the Live@edu SSO Toolkit 4.5 Update before the Live@edu Upgrade and verify users can still sign in to Live@edu via your web portal.
If you have not applied the Live@edu SSO Toolkit 4.5 Update, the SSO Toolkit will stop working partway through the Live@edu Upgrade .
The Live@edu SSO Toolkit allows users to access SkyDrive or Outlook Live from an on-premises web portal without a secondary credential challenge from the Live@edu authentication platform.
A pre-installed security certificate (provided to the school by Microsoft) establishes a trust between the on-premises web portal and the Live@edu authentication platform. This trust relationship delegates user authentication to the on-premises web portal and eliminates the need for the user to provide a password for authentication to Live@edu.
A user browses to a school’s on-premises web portal, e.g. https://portal.contoso.edu, and provides her/his on-premise username and password.
The web portal presents to the user an HTML page containing a “My Mailbox” link.
When the authenticated user clicks the "My Mailbox" link, the web portal looks up the user's Microsoft account ID in the on-premises directory service.
The on-premises web portal server passes the Microsoft account ID and the pre-installed security certificate to a Microsoft SOAP (Simple Object Access Protocol) service, and a Short-Lived Token (SLT) from Microsoft is received by the on-premises web portal server over SSL.
Skip ahead a few steps...Single Sign-On happens.
The user transfers seamlessly to her/his SkyDrive or Outlook Live mailbox without being prompted for credentials a second time.
The Live@edu SSO Toolkit is a Single Sign-On solution for browser clients.
If you are using Live@edu Password Synchronization in combination with the Live@edu SSO Toolkit to allow email rich-clients, smart phones, and other devices to connect to Live@edu, then you may want to investigate password synchronization on Office 365.
For additional information, please see the following resources:
Thanks for joining us today!
Followed the instructions to modify the 4.4 version SSO kit to 4.5, and noticed that GetSLT now checks for UseEduSso app setting. It defaults to GetSltFromSsoProxy, and the proxy throws error saying it did not like the certificate. This is the same certificate which is being used on the same machine, for a working 4.4 version kit. When I change app setting UseEduSso to false, the GetSLT method goes to GetSltFromWLID, and user signs in ok, but debugger shows that the SLT returned by GetSLT does not contain the WLID: or O365: prefix, which according to documentation means 4.5 was not successfully installed. Help!!!
Great idea, thanks Microsoft for telling us about this when you tell us our Live @ Edu is about to be upgraded to Office 365. If we knew about this then maybe we would have kept the Live@Edu tenant instead of doing the migration ourselves into our own Office 365 tenant.
Will the SSO Toolkit 4.5 update function after the domain has been converted to federation? (Convert-MsolDomainToFederated) Just trying in our test environment and looks like if domain has already been converted the SSO Toolkit won't function. So common sense tells me that the domain needs to be Standard authentication in order to function. (Convert-MsolDomainToStandard)?
Is it still planned to withdraw support for this in December 2014? I know some people who haven't yet made alternative arrangements :-(
Apologies for the company plug, but we are a Microsoft Gold partner running our service on Microsoft Azure, so hopefully that makes it OK. :-) IAM Cloud has a product called Trusted Source SSO that addresses the ability to authenticate to Office 365 via
a web portal. We have customers using this feature to solve the "OK now what do we do?" problem.
Here's more info:
Good one thank you!