Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes how to configure Smart ID Digital Access component (Hybrid Access Gateway) to be used as SAML identity provider with Office 365 as service provider.

For more information about how to use a SAML 2.0 identity provider with Office 365, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

For more information about SAML, see https://wiki.oasis-open.org/security.

Expand/Collapse All

Prerequisites

 Prerequisites

In Digital Access:

In Office 365:

Step by step instruction

 Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
 Add SAML response signing certificate
  1. Add the SAML response signing certificate in the Digital Access IDP as a server certificate. See Add certificates in Digital Access.

    Here is an example of how to create a signing certificate using OpenSSL. You can also use Smart ID Certificate Manager.

    Example: Create a signing certificate using OpenSSL

    To create a signing certificate, use this command

    openssl req -x509 -days 3650 -sha256 -subj '/C=se/O=mycompany/CN=idp-signer' -newkey rsa:4096 -keyout my-idp-signer-key.pem -out my-idp-signer-cert.pem

    To convert the private key to PKCS8 format, use this command:

    openssl pkcs8 -topk8 -in my-idp-signer-key.pem -out my-idp-signer.pk8
 Download and prepare SAML metadata

The SAML metadata file from Microsoft that describes how to interact with Office 365 must be updated.

  1. Download the SAML metadata file from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
  2. Edit the file and remove the signature block. The reason for that is that Microsoft doesn’t provide the public key to the signing certificate and Digital Access requires validating the signature if included.

    Example: Remove the signature block

 Add and configure SAML federation in Digital Access
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click SAML Federation > Add SAML Federation...
  3. Enter a Display Name, for example Office 365.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically.
  6. Enter values in the form, click the ?-sign for help.
  7. Select the Export tab.
  8. Enter a unique Entity ID, for example https://<myFederationDomainName>/cloudidp.
  9. Select the Signing Certificate to be used to sign SAML requests.
  10. Select the Role Identity Provider tab.
  11. Click Add Service Provider...
  12. Go to Upload SAML 2.0 metadata and choose the SAML metadata file federationmetadata.xml.
  13. Click Next and Finish.
  14. Click the newly added service provider to edit it.
  15. Click the Assertion Settings tab.
  16. Under heading Subject, select User storage attributes and enter objectGUID (typical value) in the input field.

    Subject settings

    Select source of subject: User storage attributes

    User storage attributes: objectGUID

  17. Click Add Attribute Statement...

  18. In SAML 2.0 Attribute enter IDPEmail .

  19. In User Attribute enter the user attribute in Active Directory pointing at the Office 365 logon name (typical value is userPrincipalName.)
    For more information about the required attributes, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#required-attributes

  20. Go to the Access Rules tab and click Add to select an access rule. For more information, see the Prerequisites.
  21. Click Save, Save and Save.

 Configure Digital Access as a trusted identity provider in Office 365

To configure Digital Access as a trusted identity provider, use PowerShell commands against Office 365.

  1. Use the PowerShell module MSOnline to create a configuration file. To import MSOnline in the Windows PowsrShell ISE console run the command:

     Import-Module MSOnline

  2. Copy the text from this example to your configuration file, and change the italic bold text in the example file to fit your configuration.

Powershell example

cred = Get-Credential # When asked for credentials enter your O365 admin account

connect-MsolService -credential $cred

domainName = "<myFederationDomainName>" ## Name of the domain in O365

$brandName = "Nexus IDP" ## Brandname of the federation, no function but needs to be set

$browserSSOLoginURL = "https://<myFederationDomainName>/wa/auth/saml/"

## Logon url that should be used by browser clients

$issuerURI = "https://<myFederationDomainName>/cloudidp"

## Your Entity ID, same as specified in Digital Access

$logoutURL = "https://<myFederationDomainName>/office365logout.html"

## Your logout page

$SigningCertificate = "xxx"

## Your signing certificate used by your Digital Access Identity Provider (SAML 2.0 IDP), base64 encoded PEM format

$ssoProtocol = "SAMLP" ## Use SAML 2.0 as SSO protocol

Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $brandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $SigningCertificate -IssuerUri $issuerURI -LogOffUri $logoutURL -PreferredAuthenticationProtocol $ssoProtocol

Get-MsolDomainFederationSettings -DomainName $domainName # Federated domainname in O365

 Add login and logout pages

These steps are done so that the end user will not need to enter its userPrincipalName in the Office 365 logon pages, after the portal item is clicked in the Digital Access portal.

  1. In Digital Access Admin, go to Browse.
  2. Go to access-point/custom-files/wwwroot.
  3. Create a file named office365.html and add the text below. Change the italic bold text to fit your configuration.

    Example: Login page

    <html>

                <head>

                             <script type="text/JavaScript">

                                         location.href = "https://login.microsoftonline.com/login.srf?whr=<myFederationDomainName>";

                             </script>

                </head>

                <body>

                </body>

    </html>

  4. Optional: Add a logout page that is shown when a user tries to log out in Office 365.
  5. Go to access-point/custom-files/wwwroot.
  6. Create a file in named office365logout.html and add the text below.
Example: Logout page

<html>

            <head>

                         <script>

                                     var xmlhttp;

                                     if (window.XMLHttpRequest) {

                                                  // code for IE7+, Firefox, Chrome, Opera, Safari

                                                  xmlhttp = new XMLHttpRequest();

                                     } else {

                                                  // code for IE6, IE5

                                                  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

                                     }

                                     xmlhttp.open("GET","/wa/logout",true);

                                     xmlhttp.send();

                                     setTimeout("location.href = 'https://login.microsoftonline.com';",2000);

                         </script>

            </head>

            <body>

            </body>

</html>

 Create portal item for users

Create a portal item for the users to click on to be automatically logged on to Office 365. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.

  1. In Digital Access Admin, go to  Manage Resource Access.
  2. Click Web Resources.
  3. Select Access Point and click Add Resource Path...
  4. Check Enable resource and enter the path.
  5. Check Make resource available in the portal.
  6. Select icon and enter link text, for example Office 365.
  7. Click Save and Publish.