Set up access to Office 365 with Digital Access as identity provider
This article describes how to configure Smart ID Digital Access component to be used as SAML identity provider with Office 365 as service provider.
For more information about how to use a SAML 2.0 identity provider with Office 365, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp
For more information about SAML, see https://wiki.oasis-open.org/security.
Step by step instruction
Log in to Digital Access Admin with an administrator account.
Add SAML response signing certificate
Add the SAML response signing certificate in the Digital Access IDP as a server certificate. See Add certificates in Digital Access.
Here is an example of how to create a signing certificate using OpenSSL. You can also use Smart ID Certificate Manager.
Example: Create a signing certificate using OpenSSL
To create a signing certificate, use this command
openssl req -x509 -days 3650 -sha256 -subj '/C=se/O=mycompany/CN=idp-signer' -newkey rsa:4096 -keyout my-idp-signer-key.pem -out my-idp-signer-cert.pem
To convert the private key to PKCS8 format, use this command:
openssl pkcs8 -topk8 -in my-idp-signer-key.pem -out my-idp-signer.pk8
Download and prepare SAML metadata
The SAML metadata file from Microsoft that describes how to interact with Office 365 must be updated.
Download the SAML metadata file from https://<company>.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
Edit the file and remove the signature block. The reason for that is that Microsoft doesn’t provide the public key to the signing certificate and Digital Access requires validating the signature if included.
Add and configure SAML federation in Digital Access
In Digital Access Admin, go to Manage Resource Access.
Click SAML Federation > Add SAML Federation...
Enter a Display Name, for example Office 365.
Check Acting as Identity Provider.
Uncheck Import metadata automatically.
Enter values in the form, click the ?-sign for help.
Select the Export tab.
Enter a unique Entity ID, for example https://<myFederationDomainName>/cloudidp.
Select the Signing Certificate to be used to sign SAML requests.
Select the Role Identity Provider tab.
Click Add Service Provider...
Go to Upload SAML 2.0 metadata and choose the SAML metadata file federationmetadata.xml.
Click Next and Finish.
Click the newly added service provider to edit it.
Click the Assertion Settings tab.
Under heading Subject, select User storage attributes and enter objectGUID (typical value) in the input field.
Subject settings
Select source of subject: User storage attributes
User storage attributes: objectGUID
Click Add Attribute Statement...
In SAML 2.0 Attribute enter IDPEmail .
In User Attribute enter the user attribute in Active Directory pointing at the Office 365 logon name (typical value is userPrincipalName.)
For more information about the required attributes, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#required-attributesGo to the Access Rules tab and click Add to select an access rule. For more information, see the Prerequisites.
Click Save, Save and Save.
Configure Digital Access as a trusted identity provider in Office 365
To configure Digital Access as a trusted identity provider, use PowerShell commands against Office 365.
Use the PowerShell module MSOnline to create a configuration file. To import MSOnline in the Windows PowsrShell ISE console run the command:
I
mport-Module MSOnline
Copy the text from this example to your configuration file, and change the italic bold text in the example file to fit your configuration.
Powershell example
cred = Get-Credential
# When asked for credentials enter your O365 admin account
connect-MsolService -credential $cred
domainName = "<myFederationDomainName>"
## Name of the domain in O365
$brandName = "Nexus IDP"
## Brandname of the federation, no function but needs to be set
$browserSSOLoginURL = "https://<myFederationDomainName>/wa/auth/saml/"
## Logon url that should be used by browser clients
$issuerURI = "https://<myFederationDomainName>/cloudidp"
## Your Entity ID, same as specified in Digital Access
$logoutURL = "https://<myFederationDomainName>/office365logout.html"
## Your logout page
$SigningCertificate = "xxx"
## Your signing certificate used by your Digital Access Identity Provider (SAML 2.0 IDP), base64 encoded PEM format
$ssoProtocol = "SAMLP" ## Use SAML 2.0 as SSO protocol
Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $brandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $SigningCertificate -IssuerUri $issuerURI -LogOffUri $logoutURL -PreferredAuthenticationProtocol $ssoProtocol
Get-MsolDomainFederationSettings -DomainName $domainName
# Federated domainname in O365
Add login and logout pages
These steps are done so that the end user will not need to enter its userPrincipalName in the Office 365 logon pages, after the portal item is clicked in the Digital Access portal.
In Digital Access Admin, go to Browse.
Go to access-point/custom-files/wwwroot.
Create a file named office365.html and add the text below. Change the italic bold text to fit your configuration.
CODE<html> <head> <script type="text/JavaScript"> location.href = "https://login.microsoftonline.com/login.srf?whr=<myFederationDomainName>"; </script> </head> <body> </body> </html>
Optional: Add a logout page that is shown when a user tries to log out in Office 365.
Go to access-point/custom-files/wwwroot.
Create a file in named office365logout.html and add the text below.
<html>
<head>
<script>
var xmlhttp;
if (window.XMLHttpRequest) {
// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp = new XMLHttpRequest();
} else {
// code for IE6, IE5
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.open("GET","/wa/logout",true);
xmlhttp.send();
setTimeout("location.href = 'https://login.microsoftonline.com';",2000);
</script>
</head>
<body>
</body>
</html>
Create portal item for users
Create a portal item for the users to click on to be automatically logged on to Office 365. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.
In Digital Access Admin, go to Manage Resource Access.
Click Web Resources.
Select Access Point and click Add Resource Path...
Check Enable resource and enter the path.
Check Make resource available in the portal.
Select icon and enter link text, for example Office 365.
Click Save and Publish.
Video example
To see what it looks like to log in to Office 365 with Personal Mobile, when configured via the Digital Access component, see here.