How to: Change an ACS Configuration to Support Single Sign-On with Office 365 and SharePoint
You can change your Access Control Service (ACS) configuration in Microsoft Dynamics NAV if you want to combine access to the Microsoft Dynamics NAV Web client with your Office 365 account. In a default deployment of Microsoft Dynamics NAV, users must sign in to Office 365 and Microsoft Dynamics NAV separately. By changing the configuration, users will sign in to Office 365 and then be automatically signed in to Microsoft Dynamics NAV, or the other way around. Users in the Microsoft Dynamics NAV Windows client also benefit from this single sign-on (SSO), but only if they choose the Keep me signed in field in the sign-in dialog box.
Important
Follow the steps in this section if you want to achieve single sign-on with Office 365 and Microsoft Dynamics NAV through ACS. Alternatively, use Windows Azure Active Directory. For more information, see Authenticate Users with Windows Azure Active Directory.
To change a deployment to use Office 365 and ACS has the following prerequisites:
Your Microsoft Dynamics NAV deployment already uses ACS through one of the predefined identity providers, such as Windows Live ID. For more information, see How to: Configure a Deployment for ACS.
You have an Office 365 account that you sign in to with a username such as MyUser@MyDomain.onmicrosoft.com. For more information, see Select an Office 365 plan for business online.
Changing a configuration to support single sign-on between Office 365 and Microsoft Dynamics NAV requires the following main steps:
Configure a WS-Federation identity provider
Reconfigure your existing relying party application to use only the new identity provider
Reconfigure your rule group to handle tokens from your Office 365 account
Configure the Office 365 account to accept authentication from Microsoft Dynamics NAV
To configure a WS-Federation identity provider
Open the Access Control Service portal for your existing ACS namespace. For more information, see How to: Configure a Deployment for ACS.
Add a new identity provider based on the WS-Federation identity provider template. For more information, see How to configure AD FS 2.0 as an Identity Provider in the MSDN Library.
In the Add WS-Federation Identity Provider page, fill in the fields as described in the following table.
Field Description Display name
Specify a name, such as the name of the Office 365 account. For example, MyDomain.onmicrosoft.com.
WS_Federation metadata URL
Specify the federation metadata location for your Office 365 account, such as https://login.windows.net/MyDomain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml, where MyDomain is your Office 365 account name.
Login link text
Specify a descriptive name, such as Office 365 MyDomain.onmicrosoft.com, where MyDomain is your Office 365 account name.
This value is only used if you configure your relying party to support multiple identity providers.
Relying party applications
Make sure your existing relying party is selected.
Choose the Save button.
Next, you must reconfigure your existing relying party application.
To reconfigure your existing relying party application
In the left pane of the Access Control Service section of the Azure Management portal, choose Relying Party Applications, and then choose your existing relying application.
This opens the configuration in edit mode.
In the Authentication Settings section, under Identity providers, make sure that only the new identify provider is selected.
Choose the Save button.
Next, you must reconfigure the rule group that your existing ACS namespace uses.
To reconfigure your rule group to handle Office 365 tokens
In the left pane of the Access Control Service portal, choose Rule groups, and then choose your existing rule group.
Select all existing rule groups, and then choose Delete.
Choose Generate. In the Generate Rules page, choose the relevant identity provider, and then choose the Generate button.
In the Edit Rule Group page, delete all rules except the rule where the output claim is name.
The name claim handles the email addresses that you must specify in the Authentication Email field in the User Card for each user in Microsoft Dynamics NAV.
Choose Add. This opens the Add Claim Rule page.
In the Input claim issuer group, in the Identity Provider field, make sure your new identity provider is selected.
In the Input claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.
The https://schemas.microsoft.com/identity/claims/objectidentifier claim handles the unique IDs of the users.
In the Output claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.
Choose the Save button.
You have changed the configuration of your ACS namespace so that users can be authenticated against the specified Office 365 account. Next, you must configure the Office 365 account to accept authentication from Microsoft Dynamics NAV.
To configure the Office 365 account to accept authentication from Microsoft Dynamics NAV
Download and install the Windows Azure Active Directory Module for Windows PowerShell. For more information, see Manage Windows Azure Active Directory by using Windows PowerShell on TechNet.
To start a Windows PowerShell session, run PowerShell.exe at a command prompt.
Run the following Windows PowerShell commands:
Import-Module MSOnline Connect-MsolService MyUser@MyDomain.onmicrosoft.com $acsUrl = New-MsolServicePrincipalAddresses -Address "https://MyACSNamespace.accesscontrol.windows.net/" New-MsolServicePrincipal -ServicePrincipalNames "https://MyACSNamespace.accesscontrol.windows.net/" -DisplayName "Microsoft Dynamics NAV via ACS" -Addresses $acsUrl
You have now configured your ACS namespace and your Office 365 account to enable single sign-on between Office 365 and Microsoft Dynamics NAV.
See Also
Tasks
How to: Configure a Deployment for ACS