Page tree
Skip to end of metadata
Go to start of metadata

This article describes how to configure Nexus Hybrid Access Gateway to be used as SAML identity provider with Office 365 as service provider.

For more information about how to use a SAML 2.0 identity provider with Office 365, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

For more information about SAML, see https://wiki.oasis-open.org/security.

Expand/Collapse All

Prerequisites

 Prerequisites

In Hybrid Access Gateway:

In Office 365:

Step by step instruction

 Log in to Hybrid Access Gateway administration interface
  1. Log in to the Hybrid Access Gateway administration interface with your admin user.
 Add SAML response signing certificate
  1. Add the SAML response signing certificate in the Hybrid Access Gateway IDP as a server certificate. See Add certificates.

    Here is an example of how to create a signing certificate using OpenSSL. You can also use Nexus Certificate Manager.

    Example: Create a signing certificate using OpenSSL

    To create a signing certificate, use this command

    openssl req -x509 -days 3650 -sha256 -subj '/C=se/O=mycompany/CN=idp-signer' -newkey rsa:4096 -keyout my-idp-signer-key.pem -out my-idp-signer-cert.pem

    To convert the private key to PKCS8 format, use this command:

    openssl pkcs8 -topk8 -in my-idp-signer-key.pem -out my-idp-signer.pk8
 Download and prepare SAML metadata

The SAML metadata file from Microsoft that describes how to interact with Office 365 must be updated.

  1. Download the SAML metadata file from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
  2. Edit the file and remove the signature block. The reason for that is that Microsoft doesn’t provide the public key to the signing certificate and Hybrid Access Gateway requires validating the signature if included.

    Example: Remove the signature block

 Add and configure SAML federation in Hybrid Access Gateway
  1. In the Hybrid Access Gateway administration interface, go to Manage Resource Access.
  2. Click SAML Federation > Add SAML Federation...
  3. Enter a Display Name, for example Office 365.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically.
  6. Enter values in the form, click the ?-sign for help.
  7. Select the Export tab.
  8. Enter a unique Entity ID, for example https://<myFederationDomainName>/cloudidp.
  9. Select the Signing Certificate to be used to sign SAML requests.
  10. Select the Role Identity Provider tab.
  11. Click Add Service Provider...
  12. Go to Upload SAML 2.0 metadata and choose the SAML metadata file federationmetadata.xml.
  13. Click Next and Finish.
  14. Click the newly added service provider to edit it.
  15. Click the Assertion Settings tab.
  16. Under heading Subject, select User storage attributes and enter objectGUID (typical value) in the input field.

    Subject settings

    Select source of subject: User storage attributes

    User storage attributes: objectGUID

  17. Click Add Attribute Statement...

  18. In SAML 2.0 Attribute enter IDPEmail .

  19. In User Attribute enter the user attribute in Active Directory pointing at the Office 365 logon name (typical value is userPrincipalName.)
    For more information about the required attributes, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#required-attributes

  20. Go to the Access Rules tab and click Add to select an access rule. For more information, see the Prerequisites.
  21. Click Save, Save and Save.

 Configure Hybrid Access Gateway as a trusted identity provider in Office 365

To configure Hybrid Access Gateway as a trusted identity provider, use PowerShell commands against Office 365.

  1. Use the PowerShell module MSOnline to create a configuration file. To import MSOnline in the Windows PowsrShell ISE console run the command:

     Import-Module MSOnline

  2. Copy the text from this example to your configuration file, and change the italic bold text in the example file to fit your configuration.

Powershell example

cred = Get-Credential # When asked for credentials enter your O365 admin account

connect-MsolService -credential $cred

domainName = "<myFederationDomainName>" ## Name of the domain in O365

$brandName = "Nexus IDP" ## Brandname of the federation, no function but needs to be set

$browserSSOLoginURL = "https://<myFederationDomainName>/wa/auth/saml/"

## Logon url that should be used by browser clients

$issuerURI = "https://<myFederationDomainName>/cloudidp"

## Your Entity ID, same as specified in Hybrid Access Gateway

$logoutURL = "https://<myFederationDomainName>/office365logout.html"

## Your logout page

$SigningCertificate = "xxx"

## Your signing certificate used by your Hybrid Access Gateway Identity Provider (SAML 2.0 IDP), base64 encoded PEM format

$ssoProtocol = "SAMLP" ## Use SAML 2.0 as SSO protocol

Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $brandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $SigningCertificate -IssuerUri $issuerURI -LogOffUri $logoutURL -PreferredAuthenticationProtocol $ssoProtocol

Get-MsolDomainFederationSettings -DomainName $domainName # Federated domainname in O365

 Add login and logout pages

These steps are done so that the end user will not need to enter its userPrincipalName in the Office 365 logon pages, after the portal item is clicked in the Hybrid Access Gateway portal.

  1. In the Hybrid Access Gateway adminstration interface, go to Browse.
  2. Go to access-point/custom-files/wwwroot.
  3. Create a file named office365.html and add the text below. Change the italic bold text to fit your configuration.

    Example: Login page

    <html>

                <head>

                             <script type="text/JavaScript">

                                         location.href = "https://login.microsoftonline.com/login.srf?whr=<myFederationDomainName>";

                             </script>

                </head>

                <body>

                </body>

    </html>

  4. Optional: Add a logout page that is shown when a user tries to log out in Office 365.
  5. Go to access-point/custom-files/wwwroot.
  6. Create a file in named office365logout.html and add the text below.
Example: Logout page

<html>

            <head>

                         <script>

                                     var xmlhttp;

                                     if (window.XMLHttpRequest) {

                                                  // code for IE7+, Firefox, Chrome, Opera, Safari

                                                  xmlhttp = new XMLHttpRequest();

                                     } else {

                                                  // code for IE6, IE5

                                                  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

                                     }

                                     xmlhttp.open("GET","/wa/logout",true);

                                     xmlhttp.send();

                                     setTimeout("location.href = 'https://login.microsoftonline.com';",2000);

                         </script>

            </head>

            <body>

            </body>

</html>

 Create portal item for users

Create a portal item for the users to click on to be automatically logged on to Office 365. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.

  1. In the Hybrid Access Gateway administration interface, go to  Manage Resource Access.
  2. Click Web Resources.
  3. Select Access Point and click Add Resource Path...
  4. Check Enable resource and enter the path.
  5. Check Make resource available in the portal.
  6. Select icon and enter link text, for example Office 365.
  7. Click Save and Publish.