Last week I tried to integrate Workspace ONE Access with Microsoft Office 365. Everything went well following the excellent blog of Steve The Identity Guy
Integrating Workspace ONE Access with Microsoft Office 365 – Steve The Identity Guy. Except that when I was finished and tried to log in to Office 365 from Workspace ONE Access, Microsoft showed me the following page.. well thank you Microsoft for the extensive error page.
Let’s troubleshoot a bit, I started with the Activity Details (Activity Details: Sign-ins – Microsoft Azure) page within my Azure Tenant and spotted the following:
Interestingly, the failure reason of my sign-in try says: Unable to verify token signature. Signing key identifier is missing.
Let’s fire up powershell to check which signing certificate of my federated domain in Office 365 is used.
Hm, Signing Certificate is indeed empty.
I tried to configure the settings again with Set-MsolDomainAuthentication and make sure the certificate part was included.
It seems that you cannot update the Signing Certificate when the domain is already federated in Office 365, a workaround to this is to set the domain back to Managed and after that make the domain Federated again. This time with the correct certificate included.
After this, everything is working as expected, I get an SSO experience logging into Office 365 from Workspace ONE Access!