OneLogin's integration with Office 365 lets your employees use OneLogin to sign in once to access all of their Office 365 applications. If you use Active Directory, OneLogin Desktop SSO uses Integrated Windows Authentication to give your users immediate access to Office 365 and their other OneLogin-managed applications whenever they are logged into their PC or Mac using their Active Directory domain credentials.
Whether or not you use Active Directory, OneLogin provides real-time sync between your directory service and Office 365, and also provides automatic user provisioning of Office 365 licenses without having to manually update each user individually. Use OneLogin to automatically provision license options for Yammer, SharePoint, Microsoft Communications, Exchange, and more.
OneLogin for Office 365 also connects seamlessly into Lync, Outlook, and mobile mail clients for Windows Mobile, iPhone, Android, and Blackberry.
Suggested architecture and configurations
In a OneLogin integration with Office 365, OneLogin provides the single sign-on (SSO) federation service that would otherwise typically be provided by Active Directory Federation Services (ADFS), and the user provisioning functionality that would otherwise be provided by Azure Active Directory Sync Service (DirSync).
OneLogin provides many advantages over ADFS, including:
- Real-time provisioning of user attributes from Active Directory (or other directory service, including OneLogin itself) to Office 365.
- Entitlement mapping that enables you to assign correct license types automatically to new users when they are created in Office 365.
However, your Office 365 implementation may use attributes that OneLogin currently cannot provision from Active Directory to Office 365. If you store attributes that you need to pass to Office 365 but that OneLogin cannot provision, OneLogin supports DirSync as your provisioning engine. See Provisioning User Attributes to Office 365 for a list of all Office 365 user attributes supported by OneLogin.
You can also remove Active Directory entirely from your configuration, using OneLogin or an alternative third-party directory (such as an OpenLDAP server) as your directory service. While it would seem that Office 365 might require Active Directory integration because Office 365 uses the AD attribute immutableID, OneLogin gets around this requirement by generating a unique user identifier that replaces the immutableID if you use OneLogin as your directory service.
To sum up, OneLogin supports the following federation and provisioning configurations for Office365:
- Active Directory with OneLogin for SSO and OneLogin for provisioning.
- Active Directory with OneLogin for SSO and DirSync for provisioning.
- OneLogin or LDAP directory, OneLogin for SSO, and OneLogin for provisioning.
Note. You can use DirSync with a non-AD LDAP directory service, but you must configure that LDAP service to use the immutableID attribute.
Next topic: Configuring Office 365 SSO with OneLogin