You can now federate multiple parent domains with a single Access Manager cluster. This means that if the enterprise has users in multiple domains, a single Access Manager cluster can handle the single sign-on requests for all the users for Office 365 services.
For example, if users are across two domains: user1@namtest.com and user2@namnetiq.in. When user1@namtest.com and user2@namnetiq.in access Office 365 services, the same Access Manager identity provider automatically forms the response with the corresponding Issuer URI and sends it to corresponding domains configured in the Office 365 service.
Ensure that you meet Prerequisite for creating a domain.
Create a new Office 365 domain and verify it. See Adding and Verifying a Domain for Office 365.
NOTE:Office 365 does not support creating a child domain if federation configuration for parent domain is already established by using powershell. Ensure that you add all child domains from the Office 365 admin center before establishing federation for the parent domain.
For more information about establishing federation when there are multiple domains and a child domain, see Configuring Federation for Multiple Domains.
According to the example used in section Enabling Federation Settings in Office 365 Domain, we have an existing domain named namtest.com.
To create a new domain named namnetiq.in, run the following commands in Powershell by modifying the commands with your domain name as per your setup.
Run $cred=Get-Credential. Enter your cloud service administrator account credentials.
Run Connect-MsolService –Credential $cred
For example, if the name of the domain is namnetiq.in and the Base URL of Identity Server is https://namnetiq.in/nidp/, run the following commands in Powershell:
NOTE:
In the following example, port is not mentioned as it uses 443. However, if you are using port 8443, specify the port in Base URL as follows:
https://namnetiq.in:8443/nidp/
When you add additional domains to Office 365 using Powershell commands, the variables $certdata, $url, $ecpurl, $logouturl,and $mex must contain the details provided for the existing domain. If you configure a new domain, change the values of $dom and the $uri
$dom = "namnetiq.in"
$url = "https://namtest/nidp/wsfed/ep"
$ecpUrl = "https://namtest.com/nidp/wstrust/sts/active12"
$uri = "https://namnetiq.in/nidp/wsfed/"
$logouturl = "https://namtest.com/nidp/jsp/o365wsfedlogout.jsp"
$mex = "https://namtest.com/nidp/wstrust/sts/mex"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("name and path of the certificate")
NOTE:
If the certificate has a .crt extension, ensure to convert it to .cer.
While executing this command, you must specify the path to the certificate within double quotes. For example: “C:\local\netiq-off365-sign.cer”
$certData = [system.convert]::tobase64string($cert.rawdata)
Use the following cmdlet to update the settings of the single sign-on domain:
Set-MsolDomainAuthentication -FederationBrandName -DomainName "federatedDomain.com" -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -MetadataExchangeUri $mex
To configure any more domains, follow the same steps. Ensure that the Issuer URI includes the UPN of the domain. For example, if you are configuring a domain named support.in, the Issuer URI will be https://support.in/nidp/wsfed/.
Go to Devices > Identity Servers > Edit > Options and ensure that the value for STS OFFICE365 MULTI DOMAIN SUPPORT AUTO is configured as true. This property enables users to access Office 365 services using the Issuer URI specific to the domain they belong to.
Consider a scenario where you already have users as part of namtest.com and namnetiq.in. You now need to create a child domain support.namnetiq.in under namnetiq.in. In this case no federation settings are available in Office 365 for the child domain. The federation setting for the parent domain is used. So, it is important that the Issuer URI is not automatically changed to the User Principal Name of the user. The Issuer URI must be set to the parent domain Issuer URI. For the child domain support.namnetiq.in, the Issuer URI will be https://namnetiq.in/nidp/wsfed/
Click Devices > Identity Servers > Edit > Options > New.
Property Type |
Property Value |
---|---|
STS CHANGE ISSUER |
Specify the value in this format: SPentityID:UPNDomain -> new IssuerID. The values of SPentityID:UPNDomain are case-sensitive. For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/ For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/ In case of multiple child domains, add each parent domain and child domain separated by comma. For example, if namnetiq.in is the parent domain and support.namnetiq.in and engineering.namnetiq.in are the child domains, specify the following entries: urn:federation:MicrosoftOnline:namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:engineering.namnetiq.in -> https://namnetiq.com/nidp/wsfed/ |
STS OFFICE365 MULTI DOMAIN SUPPORT AUTO |
Select false. This ensures that the Issuer URI is formed based on the UPN of the parent domain. |
Click OK > Apply.