Office 365 – Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded “fancy URLs” that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com

Solution:

  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?………………  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Before
    Office 365 - Federated URL - Notepad

    After
    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=….. to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
      <title>CRM</title>
      <meta http-equiv=”refresh” content=”0; url=https://sts.mydomain.com link goes here” /></head>

      <body>

      </body>
      </html>
      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

12 thoughts on “Office 365 – Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

  1. Angela

    Thanks for the instructions, especially the screen caputres. I have successfully set up a smart link to SharePoint Online. I am struggling to set up a smart link to SkyDrive/OneDrive. Any tips you can provide would be helpful. I don’t see an adfs link to copy and edit from the IE developer tools.

    Reply
    1. Jack Post author

      Hey Angela,

      It is possible to setup a vanity URL for SkyDrive/OneDrive. Unfortunately, I won’t be able to do much help unless I can see what URLs are showing up inside of the IE Developer Tools. Please feel free to contact me and I can try to help troubleshoot.

      Jack

      Reply
  2. AK

    Thanks for all the details. I am stuck at the last two steps. My whole SharePoint 2013/Office 365 environment is in cloud. I don’t have access to IIS or any web server
    What exactly do I need to address these two steps:
    1) Upload the index.html file to one of your your webservers
    2) Create a new A record called sharepoint.mydomain.com pointing to your webserver

    Any help will be greatly appreciated.

    Thanks

    Reply
    1. Jack Post author

      Hi AK,

      For step 1, you will need to put this page on a server that is exposed to the internet. Creating a web server to host the page itself is not covered in the scope of this tutorial.
      For step 2, you would create an A record on your DNS server(s). These could be hosted by your organization or the organization hosting your domain name (Name, GoDaddy, etc.).

      Hope this helps,
      Jack

      Reply
  3. Pingback: O365 and OnSite Active Directory - Should I merge? - Page 3

    1. Jack Post author

      Hey Philip,

      This is possible, but you will have to write a lot of custom redirection rules for each link on the end using the approach I have here. There might be a way to get it to dynamically work; if you are free after hours, I can give you a shout after hours and we can try to write something custom if you would like.

      Jack

      Reply
  4. Philip Thompson

    Hi Jack,
    That would be great if you could!
    My email address is Philip dot Thompson at version1 dot com (I assume this won’t get posted by the moderator, but just in case!)
    Can you please email me your details (email/phone number/Skype) and a suitable time to contact you?

    Thanks,
    Philip

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *