Office 365 configuration sso

@troeder thanks for the reply… isnt the ucs wizard that mark the domain as federated? Since the primarydomain is primary i can’t run the wizard against that domain so i cannot make it federated…

No, that is something that must be done in the Azure Portal. See linked articles.

@troeder sorry wasking again… but the azure connect is an windows server app…

This app could be run only once to federate the domain and the be uninstalled or must be running always?

I don’t have any windows server in prodution…

No application is needed. The configuration change to make a domain federated can be done in the web browser. Please read the linked documentation.

@troeder thanks for the help.

I already read the all links, and only see references to azure ad connect (that is and windows app) via web azure portal in the domain that i what to move to federated i have a link that download the same app

image

@troeder anyway (a variable for instance) to change the smtpaddress for the user? I don’t have the mail module in ucs

I remove the seconddomain

So in azure i have domain.com and onmicrosoft.com, made this one as primary,
run the wizard using domain.com
wizard went ok and domain.com was federated
Can not make domain.com as primary…

More feedback

Using domain.com as federated and using microsoftdomain as primary i can’t login directly via smtp server (for instance printers copy to mail, return authentication error, because the user is something@domain.com)
When login to portal,office.com with something@domain.com i get forward to the ucs local page to do the login again.

So, i guess to solve my situation i need federated the externaldomain.com and some magic so when i created the user in UCS the mailaddress can be @domain.com otherwise must went to office portal and change the smtp address for each created user… as it is, after create the user even if i set Primary e-mail address in UCS advanced create mode the user is created in office 365 with externaldomain.com

Other problem with this is that old users (created in office 365) don’t sync with the ucs directory, instead new users are created…

Anyone can tell me what is the script the create the user in the office portal after the user is created in the ad?

For instance can we create a variable for other verifiied domains that exist in office 365 and choose one of that domains for the user creation?

The reason is, that no password is ever synchronized from UCS to Azure. If you need to login to a office365/azure account with username+password you’ll have to set the password in the Azure portal.

UCS does not know about existing office365/azure users. It is a bit complicated process to connect those to UCS users.

Yes - that is a single sign on (SSO) feature using SAML. All authentication is done by the UCS server, your UCS password never reaches Microsofts servers. You client must be able to resolve ucs-sso.domain.com to your UCS servers IP address.

The problem here is that my printers have configured old o365 users (for instances noreply@domain.com) so users could scan to mail directly from the printer, using the domain.com as federated the printer cannot authenticate (event printer can resolve ucs-sso)

I think i’m able to manage that, be setting immutableid in azure (tricky… but i tested with one user and it succed, maybe lucky… don’t know.

Yep the problem are with the old users that already exists in o365 and the matching (because in my case that users already exist in ucs too but the connector don’t mixed instead create new ones)

About this … what i have done and is working is edit the azure_handler.py file

nano /usr/share/pyshared/univention/office365/azure_handler.py
Search for def create_user and i put

attributes["userPrincipalName"] = attributes["userPrincipalName"].replace('@FEDERATEDDOMAIN','@WANTEDDOMAIN')

With that i’m able to create the office user with the desired domain instead of the federatedone.

Use as your one risk… i’m using it for the past 6 months and eveything is ok. If you change keep in mind to see when the o365 connector is updated if the script change, normally it will happen.

Mastodon