Graphical user interface, application, website Description automatically generated

Workspace ONE Access with Office 365 – Sorry, that didn’t work?

Last week I tried to integrate Workspace ONE Access with Microsoft Office 365. Everything went well following the excellent blog of Steve The Identity Guy
Integrating Workspace ONE Access with Microsoft Office 365 – Steve The Identity Guy. Except that when I was finished and tried to log in to Office 365 from Workspace ONE Access, Microsoft showed me the following page.. well thank you Microsoft for the extensive error page.

Graphical user interface, application, website Description automatically generated

Let’s troubleshoot a bit, I started with the Activity Details (Activity Details: Sign-ins – Microsoft Azure) page within my Azure Tenant and spotted the following:

Graphical user interface

Description automatically generated

Interestingly, the failure reason of my sign-in try says: Unable to verify token signature. Signing key identifier is missing.

Let’s fire up powershell to check which signing certificate of my federated domain in Office 365 is used.

Graphical user interface, text

Description automatically generated

Hm, Signing Certificate is indeed empty.

I tried to configure the settings again with Set-MsolDomainAuthentication and make sure the certificate part was included.

Graphical user interface, text

Description automatically generated

Still Empty?

It seems that you cannot update the Signing Certificate when the domain is already federated in Office 365, a workaround to this is to set the domain back to Managed and after that make the domain Federated again. This time with the correct certificate included.

Text

Description automatically generated

After this, everything is working as expected, I get an SSO experience logging into Office 365 from Workspace ONE Access!

Leave a Reply

Your email address will not be published.

six + 7 =