Single Sign On RoadMap

If you are unsure about approaching this issue please call our helpdesk as you can irreversibly damage your PC if you are not careful


Single sign-on (SSO) allows you and your users to access Microsoft cloud services with your Active Directory corporate credentials. SSO requires both a security token service (STS) infrastructure and Active Directory synchronization. The following diagram illustrates how your on-premises Active Directory and your STS server farm interact with the Windows Azure Active Directory identity platform to provide access to one or more Microsoft cloud services. When you set up single sign-on, you establish a federated trust between your STS and the Windows Azure AD authentication system. Local Active Directory users obtain authentication tokens from your on-premises STS that redirect the users’ requests through the federated trust. This allows your users to seamlessly access the Microsoft cloud services you’ve subscribed to without needing to sign in with different credentials.


Step 1: Prepare for single sign-on

To prepare, you must make sure your environment meets the requirements for SSO and verify that your Active Directory and Windows Azure Active Directory tenant is set up in a way that is compatible with single sign-on requirements. For more information, see Prepare for single sign-on.


Step 2: Set up your on-premises security token service

After you have prepared your environment for single sign-on, you will need to set up a new on-premises STS infrastructure to provide your local and remote Active Directory users with single sign-on access to the cloud service. If you currently have an STS in your production environment, you can use it for single sign-on deployment rather than setting up a new infrastructure as long as it is supported by Windows Azure AD.

Currently, Windows Azure AD supports either of the following security token services:


Step 3: Set up directory synchronization

In order for single sign-on to work properly, you must set up Active Directory synchronization as well. This includes preparing for, activating, installing a tool, and verifying directory synchronization. After you have verified directory synchronization, you activate your synced users. Using single sign-on and directory synchronization together ensures that user identities are represented correctly in the cloud service.

For more information about how to get started with setting up directory synchronization, follow the steps provided in Directory synchronization roadmap.


Step 4: Verify single sign-on

After you finish setting up your Active Directory synchronization environment, you now need to verify that your STS is functioning as expected and that single sign-on was set up correctly for your cloud service.

For more information, see either Verify and manage single sign-on with AD FS or Verify single sign-on with Shibboleth, depending on the STS type you are setting up.


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk