I was asked several times how the PAM can be integrated with O365 and some asked if I could write something up for reference.
Before we go further, here is the documentation.
And before we go further into the details, I will need to provide some overview of the prerequisites and some of the things that are good to know.
When you want to start setting up O365, the common use case is that you already have an Active Directory Domain and AD users.
You want AD users to access O365 with the AD Domain Credentials.
And there can be several options to login the user.
Federation(using SAML Token) is one of the options.
To setup O365, you will need to have a Web Service called Security Token Service(aka STS) hosted locally within your enterprise.
Active Directory Federation Service(aka ADFS) can provide this service.
There can be other 3rd party Federation Capable Web Access Management softwares(like CA Single Sign-On) that provides the STS too.
You will need to setup ADFS and host STS service which requires to be accessible from internet.
And this STS service must be hosted over HTTPS.
And the Server Certificate for HTTPS must be issued by a Publicly Trusted Certificate Authority(such as the Verisign or Comodo and etc).
And this STS service need to have registered internet domain and resolvable from public DNS.
Let's say you have registered internet domain "dummy.com" and at the registrar website you have configured the DNS to be forwarded to your enterprise DNS server to ensure your web services and their FullyQualifiedHostNames(aka FQHN) are resolvable from public DNS.
In this sample, https://dummy.com is the server that is hosting STS.
So, you already have ADFS deployed with STS service and it is accessible from internet at https://dummy.com
To configure the O365, you will have to have O365 licenses for the users.
If you have MSDN, you will need to have premium one or above to get 1 user license and you can configure O365.
How the O365 is configured, I won't cover here as Microsoft Document should have sufficient information.
For those who are guessing how it is managed, you actually install some software(powershell for Azure) on the machine running AD and you use powershell commandline to logon to O365 and administer from command line.
That is where you can import certificates, switch the login mechanism to Federation and so on.
So you are able to access https://portal.microsoftonline.com and when you enter your email address you get redirected to your company login page.
Once you submit the correct credentials you get redirected to https://login.microsoftonline.com/login.srf and get access to the Office Applications.
Customer must be at this stage already before they can talk about PAM integration!!!
Now you can refer to the PAM documentation.
Ok, so here is my version.
You will need some level of understanding on what those are. Then things will be easier.
Security Token Service (STS) Endpoint URL
Federation is an agreement between 2 parties(aka Entities).
The 2 parties are
1) Identity Partner(aka IP)
2) Resource Partner(aka RP)
As the name suggests, IP is the party who has the usernames and passwords.
RP is where the services(like O365) are.
STS and PAM are at IP side.
And when you deploy ADFS and STS, that IIS Web Server is going to have Federation Applications Deployed.
The https://<FQHN>/adfs/services/trust/2005/usernamemixed is one of the applications already deployed on ADFS (without involving PAM) and this is where the O365 exchange some information with ADFS/STS.
If your STS is hosted on https://dummy.com then you should enter https://dummy.com/adfs/services/trust/2005/usernamemixed as the "Security Token Service (STS) Endpoint URL.
It is hardcoded and you just need to replace the <FQHN> with whatever hostname you are using for the STS.
Security Token Service (STS) Endpoint Reference URI
This would have been more clearer if it just said, "Enter O365 EntityID"
EntityID is a unique name for particular party(which can be either the IP or RP) and it is a name used to identify each other between the federation parties.
Microsoft said they named O365 as "urn:federation:MicrosoftOnline" so you just need to enter this value.
All customers federating to O365 (regardless of what product they use for federation) would need to enter this EntityID as the O365.
It is case sensitive so enter exactly as above.
Microsoft Online Portal URL
When you try to logon to O365, you would be redirected to login page so you can identify yourself(authenticate).
Microsoft has decided that they would use https://login.microsoftonline.com/login.srf as the login page.
This page also accepts SAML Token.
All customers federating to O365 (regardless of what product they use for federation) would need to enter this URL.
Microsoft Online Portal Context Data
This is the tricky part where people gets confused.
The documentation certainly did improve but you may need more information.
If you are familiar with capturing HTTP header trace, it would be an advantage.
If you know how to use Fiddler(from Telerik) then this would be easy. You can use any HTTP analyser kind of tools.
You will first have to use the normal browser(PAM is not involved yet) and perform the normal login accessing the O365.
[Fiddler Sample#1 - GET request to https://login.microsoftonline.com/login.srf?xxxxyyyyzzzz ]
[Fiddler Sample#2 - POST request to https://login.microsftonline.com/login.srf ]
In the Request, the Query Parameter has "wctx"
The value is what you want to enter as "Microsoft Online Portal Context Data".
Hopefully this information will make things easier.