Configure WS Trust for Office 365


Bitium: All account levels; must be an Admin to set up

Office 365: Business account; must be an Admin to set up

Before you can configure WS Trust for Single Sign On, please make sure you have enabled provisioning for Office 365.

Primary Authentication Scenario: Public facing Active Directory, LDAP, and Jumpcloud support WS Trust for all Office 365 apps. Please contact if you have other primary authentication scenarios.

Before you start:

  1. Please note that the following steps will need to be performed from a Windows host for which you are an Administrator
  2. Also make sure you’ve installed the required software to connect to Office 365 from powershell. Details can be found here:
  3. You cannot federate the default domain in Office 365. You will need change the default domain in Office 365 if this is the domain for which you’d like to turn on federation (N.B. this should not affect your current users).

In Bitium:

  1. Go to “Manage Apps.”

  2. Select “Office 365” from the list of installed apps.

  3. Select the “Single Sign-On” tab.

  4. From the dropdown, select “WS Trust.”

    Select Single Sign-On Provider

  5. Enter Office 365 Federated domain value. This is usually your domain which is same as the domain you use in Bitium.

  6. Copy the Entity ID, Passive Login URL, Active Login URL, Metadata Exchange URL, Logout URL, and download the X.509 certificate from Bitium.

    WS Trust Configuration

  7. Click “save changes.”

    Leave your Bitium window open and continue in a new tab.

In Windows:

  1. Run powershell as administrator

  2. Connect to Office 365 from powershell using the following command: Connect-MsolService

  3. You will be shown a login prompt asking for credentials, enter your Office 365 Admin credentials (e.g.,

    WS Trust Configuration

  4. Set the following variables from powershell:

    $dom = ""                # your domain
    $uri = "Entity_ID"                  # paste the “Entity ID” copied in step 5
    $passiveurl = "Passive_Login_URL"   # paste the “Passive Login URL” copied in step 5
    $activeurl = "Active_Login_URL"     # paste the “Active Login URL” copied in step 5
    $mex = "Metadata_Exchange_URL"      # paste the “Metadata Exchange URL” copied in step 5
    $signOutUrl = "Logout_URL"          # paste the “Logout URL” copied in step 5
    $certfile = "C:\path\to\cert"       # path to downloaded to cert file
    $certificate = [IO.File]::ReadAllText($certFile)
    $certificate = $certificate.replace("-----BEGIN CERTIFICATE-----","")
    $certificate = $certificate.replace("-----END CERTIFICATE-----","")
    $certificate = $certificate.replace("`r","")
    $certificate = $certificate.replace("`n","")
  5. First thing to check is whether the domain is federated by another provider

    Get-MsolDomainFederationSettings -domainname $dom | Format-List *

    If it is, refer to the section below to remove WS Trust SSO, othwerwise proceed with the next step.

  6. Execute the following command to enable the domain to enable Single Sign-on

    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $passiveurl -ActiveLogOnUri $activeurl -SigningCertificate $certificate -IssuerUri $uri -LogOffUri $signOutUrl -MetadataExchangeUri $mex
  7. Run the command below to verify, whether values for FederationBrandName, PassiveLogonUri, IssuerUri, and the SigningCertificate have been set correctly. The PreferredAuthenticationProtocol must be set to “WsFed.”

    Get-MsolDomainFederationSettings -domainname $dom | Format-List *

To remove WS Trust SSO

In Bitium:

  1. Navigate to the “Single Sign-On tab.
  2. Change the Single Sign-On Provider to “Credential Sign-In.”
  3. Click “Save Changes.”

In Windows:

  1. Run powershell as administrator

  2. Execute the following commands in powershell

    $dom = # your domain
    Set-MsolDomainAuthentication -DomainName $dom -Authentication Managed