Skip to main content
Skip table of contents

Set up access to Office 365 with Digital Access as identity provider

This article describes how to configure Smart ID Digital Access component to be used as SAML identity provider with Office 365 as service provider.

For more information about how to use a SAML 2.0 identity provider with Office 365, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

For more information about SAML, see https://wiki.oasis-open.org/security.

Prerequisites

In Digital Access:

In Office 365:

Step by step instruction

Log in to Digital Access Admin with an administrator account.

Add SAML response signing certificate

Example: Create a signing certificate using OpenSSL

To create a signing certificate, use this command

CODE 
openssl req -x509 -days 3650 -sha256 -subj '/C=se/O=mycompany/CN=idp-signer' -newkey rsa:4096 -keyout my-idp-signer-key.pem -out my-idp-signer-cert.pem

To convert the private key to PKCS8 format, use this command:

CODE 
openssl pkcs8 -topk8 -in my-idp-signer-key.pem -out my-idp-signer.pk8

Download and prepare SAML metadata

The SAML metadata file from Microsoft that describes how to interact with Office 365 must be updated.

  1. Download the SAML metadata file from https://<company>.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

  2. Edit the file and remove the signature block. The reason for that is that Microsoft doesn’t provide the public key to the signing certificate and Digital Access requires validating the signature if included.

Add and configure SAML federation in Digital Access

  1. In Digital Access Admin, go to Manage Resource Access.

  2. Click SAML Federation > Add SAML Federation...

  3. Enter a Display Name, for example Office 365.

  4. Check Acting as Identity Provider.

  5. Uncheck Import metadata automatically.

  6. Enter values in the form, click the ?-sign for help.

  7. Select the Export tab.

  8. Enter a unique Entity ID, for example https://<myFederationDomainName>/cloudidp.

  9. Select the Signing Certificate to be used to sign SAML requests.

  10. Select the Role Identity Provider tab.

  11. Click Add Service Provider...

  12. Go to Upload SAML 2.0 metadata and choose the SAML metadata file federationmetadata.xml.

  13. Click Next and Finish.

  14. Click the newly added service provider to edit it.

  15. Click the Assertion Settings tab.

  16. Under heading Subject, select User storage attributes and enter objectGUID (typical value) in the input field.

    Subject settings

    Select source of subject: User storage attributes

    User storage attributes: objectGUID

  17. Click Add Attribute Statement...

  18. In SAML 2.0 Attribute enter IDPEmail .

  19. In User Attribute enter the user attribute in Active Directory pointing at the Office 365 logon name (typical value is userPrincipalName.)
    For more information about the required attributes, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#required-attributes

  20. Go to the Access Rules tab and click Add to select an access rule. For more information, see the Prerequisites.

  21. Click Save, Save and Save.

Configure Digital Access as a trusted identity provider in Office 365

To configure Digital Access as a trusted identity provider, use PowerShell commands against Office 365.

  1. Use the PowerShell module MSOnline to create a configuration file. To import MSOnline in the Windows PowsrShell ISE console run the command:

     Import-Module MSOnline

  2. Copy the text from this example to your configuration file, and change the italic bold text in the example file to fit your configuration.

Powershell example

cred = Get-Credential # When asked for credentials enter your O365 admin account

connect-MsolService -credential $cred

domainName = "<myFederationDomainName>" ## Name of the domain in O365

$brandName = "Nexus IDP" ## Brandname of the federation, no function but needs to be set

$browserSSOLoginURL = "https://<myFederationDomainName>/wa/auth/saml/"

## Logon url that should be used by browser clients

$issuerURI = "https://<myFederationDomainName>/cloudidp"

## Your Entity ID, same as specified in Digital Access

$logoutURL = "https://<myFederationDomainName>/office365logout.html"

## Your logout page

$SigningCertificate = "xxx"

## Your signing certificate used by your Digital Access Identity Provider (SAML 2.0 IDP), base64 encoded PEM format

$ssoProtocol = "SAMLP" ## Use SAML 2.0 as SSO protocol

Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $brandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $SigningCertificate -IssuerUri $issuerURI -LogOffUri $logoutURL -PreferredAuthenticationProtocol $ssoProtocol

Get-MsolDomainFederationSettings -DomainName $domainName # Federated domainname in O365

Add login and logout pages

These steps are done so that the end user will not need to enter its userPrincipalName in the Office 365 logon pages, after the portal item is clicked in the Digital Access portal.

  1. In Digital Access Admin, go to Browse.

  2. Go to access-point/custom-files/wwwroot.

  3. Create a file named office365.html and add the text below. Change the italic bold text to fit your configuration.

    CODE 
    <html>

            <head>

                         <script type="text/JavaScript">

                                     location.href = "https://login.microsoftonline.com/login.srf?whr=<myFederationDomainName>";

                         </script>

            </head>

            <body>

            </body>

</html>

  4. Optional: Add a logout page that is shown when a user tries to log out in Office 365.

  5. Go to access-point/custom-files/wwwroot.

  6. Create a file in named office365logout.html and add the text below.

CODE 
<html>

            <head>

                         <script>

                                     var xmlhttp;

                                     if (window.XMLHttpRequest) {

                                                  // code for IE7+, Firefox, Chrome, Opera, Safari

                                                  xmlhttp = new XMLHttpRequest();

                                     } else {

                                                  // code for IE6, IE5

                                                  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

                                     }

                                     xmlhttp.open("GET","/wa/logout",true);

                                     xmlhttp.send();

                                     setTimeout("location.href = 'https://login.microsoftonline.com';",2000);

                         </script>

            </head>

            <body>

            </body>

</html>

Create portal item for users

Create a portal item for the users to click on to be automatically logged on to Office 365. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.

  1. In Digital Access Admin, go to  Manage Resource Access.

  2. Click Web Resources.

  3. Select Access Point and click Add Resource Path...

  4. Check Enable resource and enter the path.

  5. Check Make resource available in the portal.

  6. Select icon and enter link text, for example Office 365.

  7. Click Save and Publish.

Video example

To see what it looks like to log in to Office 365 with Personal Mobile, when configured via the Digital Access component, see here

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close