none
Single Sign On for SharePoint Online 365 RRS feed

  • Question

  • Hello,

    Currently, when our users sign in to their computers and click on Internet Explorer, it opens a SharePoint website. They do not have to login to the site. We are getting ready to migrate to the 2013 and want to move to 365 vs On Premise. We want the user to have this same experience, where they log into their machine, open the browser and the Website opens. I have researched Azure Active Directory and synching, but all of the examples show the user going to an Azure portal where they can login and access all apps. Can anyone tell me if it is possible to authenticate the SharePoint Online 365 site without logging into a portal?

    Thanks.


    LoEnglish

    Monday, March 7, 2016 5:53 PM

Answers

  • As of today with my best of knowledge, there is no way to bypass the login.microsoftonline.com if you open your IE and go directly to mydomain.sharepoint.com In the other hand, you can configure a vanity URL, let's say sharepoint.mydomain.com, and have your IIS do HTTP Redirect (302) to Smart Links, it will work and go straight in your SharePoint root. BUT there is still an issue with Outlook thick client as follow: Assumed SSO has been configured in your organization, a user with Outlook client received an email with a shared document or an URL to your SharePoint online like http://mydomain.sharepoint.com/bla/bla/bla. If this user never login or authenticate to Office 365 once, when user clicks on the link, he/she will be redirected to login.microsoftonline.com again, then redirects to your ADFS. At this point, if SSO is enabled, user will be login without prompting for password. Spending hours with Office 365 Support and also open case with Premier but they dont know what I am talking about! I have intranet site with many links point to docs in SharePoint online, without authenticated once and have STS/cookies generated, user will be presented a pointless login page as mentioned above. Hope there is a solution to this soon - or MS can redirect directly to our ADSF server from the link mydomain.sharepoint.com
    • Marked as answer by LoEnglish Wednesday, March 9, 2016 1:28 PM
    Wednesday, March 9, 2016 8:48 AM
  • Once you have AD FS configured, you can then use a "Smart Link" to bypass the Office 365 login page. The smart link will effectively direct your users to AD FS first where they get an authentication token, and then redirect them to your SharePoint Online portal where they will be authenticated automatically.

    From the user's perspective this is transparent, they just open the browser and after a second or two end up on your SharePoint page fully authenticated. Tech savvy users will see the URLs in the address bar change as they are redirected , but that's about it.

    A good set of instructions for setting up the smart link are here: https://community.office365.com/en-us/w/sso/358-using-smart-links-or-idp-initiated-authentication-with-office-365.

    One suggestion I'd make though is that this only bypasses authentication when the smart link is used. If users bookmark or email each other links to specific SharePoint pages, they could still hit the Office 365 login page, so you do still need to provide instruction on how to log in to your users.

    • Marked as answer by LoEnglish Wednesday, March 9, 2016 1:28 PM
    Wednesday, March 9, 2016 9:23 AM

All replies

  • You would need to setup Azure Active Directory Connect to Sync your active directory users to Office365 (Azure AD).  Then you must configure your office365 domain to Trusted ADFS domain by installing and configuration ADFS.  This will allow you to setup Single sign on for on premises users.

    An example to set it up is http://blogs.technet.com/b/canitpro/archive/2013/06/13/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365.aspx

    http://blogs.technet.com/b/danielkenyon-smith/archive/2011/05/11/adding-and-verifying-a-federated-domain.aspx


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    Monday, March 7, 2016 6:11 PM
  • Thank you Jerry for you quick response. These links take me about 80% there. The part that I need to know is if I can bypass the Office 365 login page all together. For example, the default home page for our browsers are set to our SharePoint site ie. Under Internet options the home page is set to ourshareport.net

    So when I Open the browser it go there. I don't want it to have to go to the Office Oline login. I see where I add the site to the Intranet Trusted Sites, but I still need to enter the login without the password.

    Thanks again.


    LoEnglish

    Monday, March 7, 2016 6:51 PM
  • As far as I know, the end user has to do it once.  Office365 is multi customer environment so you must type the login name for office365/adfs  to resolve and create the token. The same token will be used for all subsequent request.  We have this configuration for all the O365 customers we have.

    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    Monday, March 7, 2016 8:41 PM
  • Thanks for your response. I am just trying to grasp this.

    Once or once every time they open the browser (SharePoint site)?


    LoEnglish

    Monday, March 7, 2016 8:43 PM
  • Once only. 

    After the computer reboot or log off, The account will be saved in Microsoft Online accounts list. Next time they can simply click on the account name and SSO will happen automatically.


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    • Marked as answer by LoEnglish Monday, March 7, 2016 8:49 PM
    • Unmarked as answer by LoEnglish Wednesday, March 9, 2016 1:29 PM
    Monday, March 7, 2016 8:48 PM
  • Ok. Thank you!


    LoEnglish

    • Marked as answer by LoEnglish Monday, March 7, 2016 8:49 PM
    • Unmarked as answer by LoEnglish Monday, March 7, 2016 8:49 PM
    Monday, March 7, 2016 8:49 PM
  • As of today with my best of knowledge, there is no way to bypass the login.microsoftonline.com if you open your IE and go directly to mydomain.sharepoint.com In the other hand, you can configure a vanity URL, let's say sharepoint.mydomain.com, and have your IIS do HTTP Redirect (302) to Smart Links, it will work and go straight in your SharePoint root. BUT there is still an issue with Outlook thick client as follow: Assumed SSO has been configured in your organization, a user with Outlook client received an email with a shared document or an URL to your SharePoint online like http://mydomain.sharepoint.com/bla/bla/bla. If this user never login or authenticate to Office 365 once, when user clicks on the link, he/she will be redirected to login.microsoftonline.com again, then redirects to your ADFS. At this point, if SSO is enabled, user will be login without prompting for password. Spending hours with Office 365 Support and also open case with Premier but they dont know what I am talking about! I have intranet site with many links point to docs in SharePoint online, without authenticated once and have STS/cookies generated, user will be presented a pointless login page as mentioned above. Hope there is a solution to this soon - or MS can redirect directly to our ADSF server from the link mydomain.sharepoint.com
    • Marked as answer by LoEnglish Wednesday, March 9, 2016 1:28 PM
    Wednesday, March 9, 2016 8:48 AM
  • Once you have AD FS configured, you can then use a "Smart Link" to bypass the Office 365 login page. The smart link will effectively direct your users to AD FS first where they get an authentication token, and then redirect them to your SharePoint Online portal where they will be authenticated automatically.

    From the user's perspective this is transparent, they just open the browser and after a second or two end up on your SharePoint page fully authenticated. Tech savvy users will see the URLs in the address bar change as they are redirected , but that's about it.

    A good set of instructions for setting up the smart link are here: https://community.office365.com/en-us/w/sso/358-using-smart-links-or-idp-initiated-authentication-with-office-365.

    One suggestion I'd make though is that this only bypasses authentication when the smart link is used. If users bookmark or email each other links to specific SharePoint pages, they could still hit the Office 365 login page, so you do still need to provide instruction on how to log in to your users.

    • Marked as answer by LoEnglish Wednesday, March 9, 2016 1:28 PM
    Wednesday, March 9, 2016 9:23 AM
  • Thanks for the follow up answers. I will do some research on Smart Link.

    LoEnglish

    Wednesday, March 9, 2016 1:28 PM
  • Not sure why http://outlook.com/mydomain.com can bypass the pointless page login.microsoftonline.com but not from http://mydomain.sharepoint.com.

    Perhaps when user clicks on the link, it doesn't know where the user coming from internal or external.  I look at the the PowerShell for "Set-SPOTenant -SignInAccelerationDomain", but somehow the parameter is not available for my tenant and I am waiting for the back-end upgrading my tenant PowerShell so I can test out.

    Anyway, you're not along having this issue and am sure many organizations out there too - but why Microsoft doesn't have a fix or just tell us that it is not possible to implement it so that we don't have to look around and bang our head to the brick wall.

    Saturday, March 12, 2016 3:57 AM
  • Same problem here..

    Friday, February 23, 2018 4:45 PM