In Digital Access:

• Digital Access has been deployed, see Deploy Digital Access component and Do initial setup of Digital Access component.
• An authentication method has been created, see Set up authentication method in Digital Access.
• User accounts are created, see Add user account in Digital Access.
• An access rule has been created, see Add access rule in Digital Access. The access rule can, for example, be a 2FA access rule. Also, if the access rules includes that the users must exist in Office 365, only these users will see the Office 365 portal item.

In Office 365:

• Office 365 is installed and the domain is verified.
• The user accounts have been created in Azure Active Directory. For more information about how to use corporate identities in a local active directory, see

  https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect.

1. Log in to Digital Access Admin with an administrator account.

1. Add the SAML response signing certificate in the Digital Access IDP as a server certificate. See Add certificates in Digital Access.

   Here is an example of how to create a signing certificate using OpenSSL. You can also use Smart ID Certificate Manager.

   Example: Create a signing certificate using OpenSSL

   To create a signing certificate, use this command

   openssl req -x509 -days 3650 -sha256 -subj '/C=se/O=mycompany/CN=idp-signer' -newkey rsa:4096 -keyout my-idp-signer-key.pem -out my-idp-signer-cert.pem

   To convert the private key to PKCS8 format, use this command:

   openssl pkcs8 -topk8 -in my-idp-signer-key.pem -out my-idp-signer.pk8

The SAML metadata file from Microsoft that describes how to interact with Office 365 must be updated.

1. Download the SAML metadata file from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

2. Edit the file and remove the signature block. The reason for that is that Microsoft doesn’t provide the public key to the signing certificate and Digital Access requires validating the signature if included.
   

   Example: Remove the signature block

   

1. In Digital Access Admin, go to Manage Resource Access.
2. Click SAML Federation > Add SAML Federation...
3. Enter a Display Name, for example Office 365.
4. Check Acting as Identity Provider.
5. Uncheck Import metadata automatically.
6. Enter values in the form, click the ?-sign for help.
7. Select the Export tab.
8. Enter a unique Entity ID, for example https://<myFederationDomainName>/cloudidp.
9. Select the Signing Certificate to be used to sign SAML requests.
10. Select the Role Identity Provider tab.
11. Click Add Service Provider...
12. Go to Upload SAML 2.0 metadata and choose the SAML metadata file federationmetadata.xml.
13. Click Next and Finish.
    
14. Click the newly added service provider to edit it.
15. Click the Assertion Settings tab.

16. Under heading Subject, select User storage attributes and enter objectGUID (typical value) in the input field.

    Subject settings

    Select source of subject: User storage attributes

    User storage attributes: objectGUID

17. Click Add Attribute Statement...

18. In SAML 2.0 Attribute enter IDPEmail .

19. In User Attribute enter the user attribute in Active Directory pointing at the Office 365 logon name (typical value is userPrincipalName.)
    For more information about the required attributes, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#required-attributes

20. Go to the Access Rules tab and click Add to select an access rule. For more information, see the Prerequisites.

21. Click Save, Save and Save.

To configure Digital Access as a trusted identity provider, use PowerShell commands against Office 365.

1. Use the PowerShell module MSOnline to create a configuration file. To import MSOnline in the Windows PowsrShell ISE console run the command:

    Import-Module MSOnline

2. Copy the text from this example to your configuration file, and change the italic bold text in the example file to fit your configuration.

These steps are done so that the end user will not need to enter its userPrincipalName in the Office 365 logon pages, after the portal item is clicked in the Digital Access portal.

1. In Digital Access Admin, go to Browse.
2. Go to access-point/custom-files/wwwroot.

3. Create a file named office365.html and add the text below. Change the italic bold text to fit your configuration.

   Example: Login page

   <html>

               <head>

                            <script type="text/JavaScript">

                                        location.href = "https://login.microsoftonline.com/login.srf?whr=<myFederationDomainName>";

                            </script>

               </head>

               <body>

               </body>

   </html>

4. Optional: Add a logout page that is shown when a user tries to log out in Office 365.
5. Go to access-point/custom-files/wwwroot.
6. Create a file in named office365logout.html and add the text below.

Create a portal item for the users to click on to be automatically logged on to Office 365. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.

1. In Digital Access Admin, go to  Manage Resource Access.
2. Click Web Resources.
3. Select Access Point and click Add Resource Path...
4. Check Enable resource and enter the path.
5. Check Make resource available in the portal.
6. Select icon and enter link text, for example Office 365.
7. Click Save and Publish.