Office 365 Single Sign On

Question

I've been attempting to do SSO for Office365 and have federated my AD with Office365. When I reach portal.microsoftonline.com and enter a username from my domain eg: user@mydomain.com, the page gets redirected to my ADFS for authentication, there after the user keys in his/her credentials.

Is there a way to do a active authentication for Office365, if I used the term correctly, where a user logs into my site which already actively authenticates a user using a HttpBinding to my ADFS then also gets authenticated for Office365?

The high level flow is as follow:

1. User signs into my website which is authenticated against the ADFS via active authentication
2. User proceeds to Office365 and should not need to log in again.

Answer 1

Programmatically, using IE and Powershell, you could do it with a COM object like below. The full code for an automatic login (+drivemap, which the code is from) is here: http://www.lieben.nu/numb3rs/?page_id=129

#start invisible IE instance
try{
    $ie = new-object -com InternetExplorer.Application
    $ie.visible = $debugmode
}catch{
    ac $logfile "failed to start Internet Explorer COM Object, check user permissions`n"
    ac $logfile $error[0]
    Exit
}
#navigate to OneDrive and log out
$ie.navigate("http://login.microsoftonline.com/logout.srf")
do {sleep 1} until (-not ($ie.Busy)) 
$ie.quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($ie) > $null
Remove-Variable ie

#start invisible IE instance
$ie = new-object -com InternetExplorer.Application
$ie.visible = $debugmode

#login process
do{
    $ie.navigate("https://"+$O365CustomerName+"-my.sharepoint.com/personal/"+$userURL")
    do {sleep 1} until (-not ($ie.Busy))

    #click to open up the login menu
    do {sleep 1} until (-not ($ie.Busy))
    try { 
        $ie.document.GetElementById("_link").click()
        do {sleep 1} until (-not ($ie.Busy)) 
    } catch {$null}

    #attempt automated login using ADFS / non ADFS methods
    if($useADFS){
        ac $logfile "useADFS set to true`n"
        ac $logfile "attempting ADFS single sign-on`n"
        #trigger redirect
        try{
            $ie.document.GetElementById("cred_keep_me_signed_in_checkbox").click()
            $ie.document.GetElementById("cred_userid_inputtext").value = $userUPN
            do {sleep 1} until (-not ($ie.Busy)) 
            $ie.document.GetElementById("cred_sign_in_button").click()
            do {sleep 1} until (-not ($ie.Busy))
        }catch{
            ac $logfile "Failed to find the correct controls at $($ie.locationURL) to log in by script, check your browser and proxy settings or check for an update of this script`n"
        }
        #ADFS redirect can take a while
        do {sleep 1} until (-not ($ie.Busy))
        Sleep -s1
        do {sleep 1} until (-not ($ie.Busy))
        sleep -s $ADFSWaitTime
        do {sleep 1} until (-not ($ie.Busy))
    }else{
        try{
            $ie.document.GetElementById("cred_userid_inputtext").value = $userUPN
            $ie.document.GetElementById("cred_password_inputtext").value = $password
            $ie.document.GetElementById("cred_keep_me_signed_in_checkbox").click()
            do {sleep 1} until (-not ($ie.Busy)) 
            $ie.document.GetElementById("cred_sign_in_button").click()
            do {sleep 1} until (-not ($ie.Busy))
        }catch{
            ac $logfile "Failed to find the correct controls at $($ie.locationURL) to log in by script, check your browser and proxy settings or check for an update of this script`n"
        }
        sleep -s 1
        do {sleep 1} until (-not ($ie.Busy))
    }

Answer 2

No. For SSO to work, a cookie must be set in the donain where ADFS is running. And the only way to achieve this is authenticating with the browser. When you do active auth the browser is not involved (it is a server to server call)