Support Center > Search Results > SecureKnowledge Details
How to configure Office 365 and Microsoft AD FS with CloudGuard SaaS Authentication Service Technical Level
Solution

This article describes how to configure CloudGuard SaaS to work with Microsoft AD FS as an Identity Provider and Microsoft Office 365. After you complete the configuration, all login requests to Office 365 will go through CloudGuard SaaS Authentication Service.

Table of Contents:

  • Important Notes
  • Prerequisites
  • Procedure
    • Add and Configure AD FS as an Identity Provider
    • Configure Office 365 to use CloudGuard SaaS Authentication Service as an Identity Provider
  • Troubleshooting Connectivity Issues
  • How to revert Office 365 Identity Federation to AD FS

Important Notes

  • This procedure will impact all Office 365 users in your domain; it cannot be done only for specific user groups.
  • The change of Identity Provider for Office 365 might take up to 2 hours to propagate to all Microsoft data centers. Click here for more information.
  • If you are using the Check Point MFA Adapter plugin on AD FS (see sk123143), the procedure will indicate when it is necessary to deactivate the plugin. 
  • Besides the configuration described in this article, you need to associate Microsoft Office 365 to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection Admin Guide, section Getting Started - Initial Configuration, for more details.

Prerequisites

  1. Machine with PowerShell running on one of the following 64-bit versions of Windows: Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1.
  2. Microsoft Azure Active Directory Module for Windows PowerShell: The presence of the module will be automatically verified by the script run in step # 10 of the Office 365 configuration. If the module is missing, the script will provide instructions for its installation.
  3. Administrator access to AD FS and Office 365
  4. Modern Authentication: 
  5. Modern Authentication is a Microsoft OAuth2-based authentication. It is required by Microsoft in order to use features like Multi-Factor Authentication (MFA) or a SAML-based third-party Identity Provider.

    The CloudGuard SaaS Authentication Service acts as a third-party SAML-based Identity Provider with regards to the cloud application; therefore, Microsoft applications need to support Modern Authentication and have it enabled to be compatible with the system. Please note that some email clients do not support Modern Authentication and therefore will not work after the deployment of the CloudGuard SaaS Authentication ServiceHere is a Microsoft statement about their email clients support of Modern Authentication. Some known clients that do not support Modern Authentication are the Samsung native email app (Samsung Email) and the macOS mail app .

    In order to check whether this authentication is enabled for your Office 365 account, connect to Exchange Online using PowerShell (see Connect to Exchange Online PowerShell instructions) and check that the Modern authentication flag is enabled. If it is not enabled, follow the instructions to enable it (see Enable or disable modern authentication in Exchange Online instructions). Additionally, for Outlook 2013 clients running on Windows devices, specific registry keys need to be set as described here.

    In addition, Microsoft instructs users to synchronize the state of Modern Authentication in Exchange Online with Skype for Business Online to prevent multiple login prompts in Skype for Business clients. See Skype for Business Online: Enable your tenant for modern authentication.

    Please note that a workaround may be possible using App passwords. See Manage app passwords for two-step verification related Microsoft documentation.

Procedure

Add and Configure AD FS as an Identity Provider

  1. Log into the CloudGuard SaaS portal and go to Configuration under the Identity Protection module. Under the Identity Providers tab, click on Add Identity Provider.


  2. In the wizard that opens, select Microsoft Active Directory Federation Services and click Next.


  3. Enter your domain name and make sure the integration method chosen is Authentication service. Click Next.


  4. Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.


  5. Upload your AD FS metadata xml file. It is usually available from a static URL similar to: https://domain/FederationMetadata/2007-06/FederationMetadata.xml
  6. Click Next.

  7. Open the AD FS Management Tool of your primary AD FS server and add CloudGuard SaaS as a Relying Party Trust. 

    Refer to sk123142 for step-by-step instructions on how to add a Relying Party Trust in AD FS with the following modifications:

    • For Windows Server 2012 R2
      • In step # 6, use the name: CGS Authentication Service for the Relying Party Trust.
      • In step # 9, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Enter the Reply URL copied from the CloudGuard SaaS portal in the Service URL field.
      • In step # 10, for Relying party trust identifier enter the Entity ID copied from the CloudGuard SaaS portal.
      • After step # 17, add an additional claim. Choose Custom rule for Claim rule template. Give a name to the rule, for example Check Point Custom Rule. In the free text zone, copy and paste the following:
      • c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    • For Windows Server 2016
      • In step # 6, use the name CGS Authentication Service for the Relying Party Trust.
      • In step # 8, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Enter the Reply URL copied from CloudGuard SaaS portal in the Service URL field.
      • In step # 9, for Relying party trust identifier enter the Entity ID copied from the CloudGuard SaaS portal.
      • After step # 16, add an additional claim. Choose Custom rule for Claim rule template. Give a name to the rule, for example Check Point Custom Rule. In the free text zone, copy and paste the following:
      • c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

  8.  

  9. Click the CONNECT button. This will open an AD FS login form which you will be prompted to enter your email address and password. After validation, you should see a Login Success message.
  10. Troubleshooting:

    If an error is displayed before the credential validation stage, check the AD FS logs under Event Viewer\Applications\Service logs\AD FS\Admin.

    If an error is displayed after the credential validation stage, the screen should indicate the nature of the error. If there are no such details, contact Check Point Support after verifying that the previous configuration steps were followed accurately.

  11. Click Finish to save your Identity Provider configuration and close the wizard.

Configure Office 365 to use CloudGuard SaaS Authentication Service as an Identity Provider

  1. In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the AD FS Identity Provider you just configured, click on Click to add SaaS.

  2. In the wizard that opens, select Office 365 and click Next.


  3. Entity ID and Reply URL are pre-filled. Do not edit them. Click Next.
  4. Download the certificate and click Finish to save and close the wizard.


  5. Download the script here
  6. Extract the zip file to a folder. In that same folder, paste the certificate downloaded from the portal in the previous step.

  7. Open Windows PowerShell, run as administrator, and navigate to the path of the extracted folder.
  8. Execute the following command in order to bypass script execution policy for the current PowerShell session only:
  9. Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

  10. IMPORTANT! If you have the Check Point MFA Adpater plugin installed and enabled on your AD FS, refer to sk123143, section "Uninstall," to deactivate the plugin before continuing this procedure.
  11. Before continuing to the next step, make sure that you are familiar with the commands to revert the changes if necessary (i.e., configure Office 365 to directly use Microsoft AD FS as an Identity Provider. See the instructions below or this link, section "Configure Federation Trust with Office 365).

  12. Run the PowerShell script you downloaded in step # 5. 
  13. .\office365_auth_service_sso.ps1 -domain <domain_name> -entity <entity_id>

    You will be prompted to log into Office 365 with global administrator credentials. 

    <entity_id> is the Entity ID URL copied in Step # 4 in the section "Add and Configure AD FS as an Identity Provider". You can also find it by clicking on Edit on your Identity provider in CloudGuard SaaS portal.

    After executing this script, Office 365 will be configured to use CloudGuard SaaS Authentication Service as an Identity Provider for all users.

  14. You have completed the configuration. All login requests to Office 365 will now go through CloudGuard SaaS Authentication Service. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.

 

Troubleshooting Connectivity Issues

  1. ADFS event viewer admin logs:
    1. Open the Event Viewer.
    2. Expand Applications and Services Logs.
    3. Expand AD FS.
    4. Click on Admin.
    5. Choose all events from the moment you enabled CloudGuard SaaS Authentication until the moment you did a rollback of the configuration (if you did any).
    6. Click on Save Selected EventsÂ… from the right pane and save to file.
    7. Attach the event file to your support ticket.


  2. For as many users as possible who have connectivity issues, indicate the following:
    1. Device type (mobile/tablet/desktop)
    2. For mobile/tablet: Device Model (e.g. Samsung Galaxy S9, iPhone X,etc.)
    3. OS version (e.g., Windows 7 32 bit, iOS 12, Android 8.0.0, etc.)
    4. Are you using native mail client or the Microsoft Outlook application? If Outlook, provide the version, as well (Outlook 2010/2013/2016)
    5. What is the user experience (e.g., error message content/endless retries/etc.)?

How to revert Office 365 Identity Federation to AD FS

  1. Open PowerShell on your local AD FS machine with admin privileges (choose Run As Administrator).

  2. Enter the following command: Connect-MsolService. If you get the error command not found, enter Install-Module -Name MSOnline. Follow the instructions provided.

  3. You will be prompted to log into Office 365 with global administrator credentials (username should end with @<domain>.onmicrosoft.com).

  4. Enter: Get-MsolFederationProperty -DomainName <domain>.

  5. Make sure you see an output which contains your AD FS server name (e.g., adfs.<domain>.com)

  6. Enter: Set-MsolDomainAuthentication -DomainName <domain> -Authentication managed

  7. Enter: Convert-MsolDomainToFederated -DomainName <domain>

  8. Enter: Get-MsolDomainFederationSettings -DomainName <domain>

  9. Verify that the ActiveLogOnUri attribute is now pointing to your AD FS server name.

  10. After you executing these commands, Office 365 will be configured to use AD FS as an Identity Provider for all users.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment