The Office 365 integration replaces password login with biometric authentication via SAML 2.0 using the 1Kosmos mobile app.
Integration type
API
Updated
Overview
1Kosmos integrates with Microsoft Office 365 as a SAML 2.0 identity provider, replacing password-based login with biometric authentication via the 1Kosmos mobile app. Users access Office 365 by entering their email address, are redirected to the 1Kosmos login page, and authenticate using Touch ID, Face ID, or liveness-checked LiveID. No password is entered at any point in the flow.
This integration is configured through a combination of the 1Kosmos AdminX portal and Windows PowerShell. On the AdminX side, Office 365 metadata is imported to create the SAML application and a custom immutableid attribute is mapped to Active Directory to serve as the SAML NameID. On the Microsoft side, PowerShell commands federate the Azure AD domain to use 1Kosmos as the external identity provider.
A connected AD or LDAP user directory in AdminX is required for this integration. Users must exist in the federated domain and have the 1Kosmos mobile app installed and biometrics enrolled before the first login.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if your tenant is not yet provisioned.
Office 365 tenant: An active Microsoft 365 subscription with an associated custom domain.
AD or LDAP user directory connected in AdminX: Required for immutableid attribute mapping. Configure this under Directory → Directory Integrations before beginning.
Office 365 federation metadata file: Download and save locally from:
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xmlMicrosoft AzureAD PowerShell module: Must be installed before running federation commands. Install via the PowerShell Gallery:
Install-Module AzureAD1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from AdminX (IdP) for the PowerShell federation step:
IdP SSO URL (PassiveLogOnUri) | https://your-tenant.1kosmos.net/adminapi/community/default/sso |
IdP Logout URL (LogOffUri) | https://your-tenant.1kosmos.net/adminapi/community/default/slo |
Issuer URI | https://your-tenant.1kosmos.net/newui/default/idp3 |
Signing Certificate | PEM value (remove all spaces and newlines before use) |
Fixed values for AdminX SAML application configuration:
Application Access URL | https://login.microsoftonline.com/login.srf |
Entity ID | urn:federation:MicrosoftOnline |
ACS URL | https://login.microsoftonline.com/login.srf |
NameID Format | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
NameID Value | immutableid |
Integration steps
Step 1: Add the immutableid attribute in AdminX
Log in to the AdminX portal as a community administrator.
Navigate to Settings → 1Kosmos Attributes and click Add New.
Enter
immutableidas the attribute name and click Create. Verify the attribute appears in the list.
Step 2: Map immutableid to your Active Directory attribute
Navigate to Directory → Directory Integrations.
Click the edit icon next to your AD or LDAP directory.
Open the Attributes mapping tab and select Add new mapping.
Set the Directory attribute to the AD field that stores the user's ImmutableID value (commonly
postalcodeif no dedicated field exists, or the actual immutableid field if your schema includes one).Set the 1Kosmos attribute to
immutableid. Click Create and confirm the mapping appears.
Step 3: Add Office 365 as a SAML application in AdminX
Navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add Integration.
Click Add Application to proceed.
Basic settings: enter "Office365" as the Application Name, select Production, and enter https://login.microsoftonline.com/login.srf as the Application Access URL. Click Next.
SAML settings: click Upload and select the Office 365 federation metadata file downloaded during prerequisites. Set the NameID Format to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and the NameID Value to immutableid. Under Claims Mapping, add the following:
Attribute | Format (Claim URI) |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail |
Click Next.
On Advanced Options, verify the Entity ID is
urn:federation:MicrosoftOnlineand the ACS URL ishttps://login.microsoftonline.com/login.srf.Confirm Assertion and Authentication request signing are enabled.
Confirm the Signing and Encryption Certificate fields are populated. Click Save.
Step 4: Federate your Azure AD domain via PowerShell
Launch Windows PowerShell and run
Connect-MsolService.Sign in with your Microsoft 365 Global Administrator credentials. Verify your domain status with:
Then set the federation configuration by defining the following variables with your own tenant values and running the federation command:
Validate the configuration was applied with:
Step 5: Test the integration
Navigate to office.com and click Sign in. Enter a federated domain user's email address and click Next. You will be redirected to the 1Kosmos login page. Open the 1Kosmos mobile app, tap Scan QR, scan the code, and complete biometric authentication. Confirm you are redirected to the Office 365 portal after successful authentication. Test with a single user before enabling for the full organization.
Attribute mappings
Source (1Kosmos) | Target (Office 365) | Description |
|---|---|---|
immutableid | NameID (persistent) | Primary SSO identifier |
claims/mail | User email address |
Integration notes
The immutableid attribute must be populated in your AD directory for every user who will authenticate through 1Kosmos. If the attribute is missing or mismatched, the SAML assertion will fail.
Run Get-MsolDomainFederationSettings after the PowerShell step to confirm all federation values are applied correctly before testing.
To revert to standard Microsoft authentication, run Set-MsolDomainAuthentication -DomainName -Authentication Managed.
