If your Office 365 account uses Microsoft SharePoint websites, you can achieve smart linking (also known as deep linking) into them through OneLogin.
Begin by creating the Smart Link URL. This involves using an HTTP tracer to capture the web traffic during a sign in to a specific SharePoint site and then removing certain parameters from the URL to make it "generic" for all users in an organization.
Once you understand how to construct a smart link for the target Office 365 service, you can deploy a 302 redirection service on your on-premise web servers. This assumes that you have already set up Single Sign-On (Identity Federation) for Office 365 and have verified that it is working correctly.
Creating a Smart Link
The simplest way to create a smart link is to turn on an HTTP tracing tool and authenticate to the service you want. In the future, Office 365 may provide a service for administrators that automatically constructs the smart link. Until that time, please follow the manual instructions below.
- Open your browser and HTTP tracing
- Perform a federated authentication to the service that you want a smart link for by going to the service (like https://portal.microsoftonline.com/) and signing in.
- From the HTTP trace tool, find the last line of data that has your OneLogin address (in the form of https://https://app.onelogin.com/trust/wsfed2007-06/passive/sso/123456) in the list of URLs.
- Copy and paste the line into your text editor of choice. You should see something similar to the following (using OneLogin and the Office 365 portal as examples):
- Edit the above URL by removing the bolded items: everything up to the "wa" query-string parameter, the last QS parameter "bk", and the "ct" parameter up to the "ver" parameter They will appear as shown in your traced URL and will give you the resulting URL.
- Create a vanity URL for users to reach the Office 365 portal in the most seamless single-sign-on fashion, by following the steps in "Deploying a smart link".
Deploying a Smart Link
Once you've created your smart link, you'll need to deploy it by creating a vanity URL for your organization's users to use. In the example above we created a smart link for the Office 365 portal (https://portal.microsoftonline.com/). Now we'll create a vanity URL that will redirect to the smart link above.
The vanity URL uses a 301 redirect and the customers registered/desired domain name which will require establishing a Windows IIS server.
- Create a new record in your domain registrar (like portal.acmecorp.com) and point this to the IP address of your IIS server that will host your redirection service.
- Create a new web site (portal.acmecorp.com) on your IIS server.
- Create a 302 redirection service and paste the smart link into the target address.
- Test that portal.acmecorp.com resolves to the correct IP address inside and outside your corporate network.
- Open IE and type http://portal.acmecorp.com/ and you should get seamless single sign-on directly to the Office 365 portal.
While OneLogin can recommend steps on how to configure a vanity URL, it can't configure it as it doesn't administrate remote name servers.