How to: Change an ACS Configuration to Support Single Sign-On with Office 365 and SharePoint

You can change your Access Control Service (ACS) configuration in Microsoft Dynamics NAV if you want to combine access to the Microsoft Dynamics NAV Web client with your Office 365 account. In a default deployment of Microsoft Dynamics NAV, users must sign in to Office 365 and Microsoft Dynamics NAV separately. By changing the configuration, users will sign in to Office 365 and then be automatically signed in to Microsoft Dynamics NAV, or the other way around. Users in the Microsoft Dynamics NAV Windows client also benefit from this single sign-on (SSO), but only if they choose the Keep me signed in field in the sign-in dialog box.

Important

Follow the steps in this section if you want to achieve single sign-on with Office 365 and Microsoft Dynamics NAV through ACS. Alternatively, use Windows Azure Active Directory. For more information, see Authenticate Users with Windows Azure Active Directory.

To change a deployment to use Office 365 and ACS has the following prerequisites:

Changing a configuration to support single sign-on between Office 365 and Microsoft Dynamics NAV requires the following main steps:

  • Configure a WS-Federation identity provider

  • Reconfigure your existing relying party application to use only the new identity provider

  • Reconfigure your rule group to handle tokens from your Office 365 account

  • Configure the Office 365 account to accept authentication from Microsoft Dynamics NAV

To configure a WS-Federation identity provider

  1. Open the Access Control Service portal for your existing ACS namespace. For more information, see How to: Configure a Deployment for ACS.

  2. Add a new identity provider based on the WS-Federation identity provider template. For more information, see How to configure AD FS 2.0 as an Identity Provider in the MSDN Library.

    1. In the Add WS-Federation Identity Provider page, fill in the fields as described in the following table.

      Field Description

      Display name

      Specify a name, such as the name of the Office 365 account. For example, MyDomain.onmicrosoft.com.

      WS_Federation metadata URL

      Specify the federation metadata location for your Office 365 account, such as https://login.windows.net/MyDomain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml, where MyDomain is your Office 365 account name.

      Login link text

      Specify a descriptive name, such as Office 365 MyDomain.onmicrosoft.com, where MyDomain is your Office 365 account name.

      This value is only used if you configure your relying party to support multiple identity providers.

      Relying party applications

      Make sure your existing relying party is selected.

    2. Choose the Save button.

Next, you must reconfigure your existing relying party application.

To reconfigure your existing relying party application

  1. In the left pane of the Access Control Service section of the Azure Management portal, choose Relying Party Applications, and then choose your existing relying application.

    This opens the configuration in edit mode.

  2. In the Authentication Settings section, under Identity providers, make sure that only the new identify provider is selected.

  3. Choose the Save button.

Next, you must reconfigure the rule group that your existing ACS namespace uses.

To reconfigure your rule group to handle Office 365 tokens

  1. In the left pane of the Access Control Service portal, choose Rule groups, and then choose your existing rule group.

  2. Select all existing rule groups, and then choose Delete.

  3. Choose Generate. In the Generate Rules page, choose the relevant identity provider, and then choose the Generate button.

  4. In the Edit Rule Group page, delete all rules except the rule where the output claim is name.

    The name claim handles the email addresses that you must specify in the Authentication Email field in the User Card for each user in Microsoft Dynamics NAV.

  5. Choose Add. This opens the Add Claim Rule page.

  6. In the Input claim issuer group, in the Identity Provider field, make sure your new identity provider is selected.

  7. In the Input claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.

    The https://schemas.microsoft.com/identity/claims/objectidentifier claim handles the unique IDs of the users.

  8. In the Output claim type group, in the Enter type field, enter https://schemas.microsoft.com/identity/claims/objectidentifier.

  9. Choose the Save button.

You have changed the configuration of your ACS namespace so that users can be authenticated against the specified Office 365 account. Next, you must configure the Office 365 account to accept authentication from Microsoft Dynamics NAV.

To configure the Office 365 account to accept authentication from Microsoft Dynamics NAV

  1. Download and install the Windows Azure Active Directory Module for Windows PowerShell. For more information, see Manage Windows Azure Active Directory by using Windows PowerShell on TechNet.

  2. To start a Windows PowerShell session, run PowerShell.exe at a command prompt.

  3. Run the following Windows PowerShell commands:

    Import-Module MSOnline
    Connect-MsolService MyUser@MyDomain.onmicrosoft.com
    $acsUrl = New-MsolServicePrincipalAddresses -Address "https://MyACSNamespace.accesscontrol.windows.net/"
    New-MsolServicePrincipal -ServicePrincipalNames "https://MyACSNamespace.accesscontrol.windows.net/" -DisplayName "Microsoft Dynamics NAV via ACS" -Addresses $acsUrl
    

You have now configured your ACS namespace and your Office 365 account to enable single sign-on between Office 365 and Microsoft Dynamics NAV.

See Also

Tasks

How to: Configure a Deployment for ACS

Other Resources

Select an Office 365 plan for business