Before you start
The Freja eID IdP works both with a personal Freja eID on Basic, Extended or Plus level and with the user's Organisation ID, if set. The preconditions for successful integration are:
- Those users wishing to access Office 365 with Freja eID must use your domain-based email address to access Office 365. In other words, if your domain is hultbybruk.com and assuming a user name Joe Black, the email joe.black@hultbybruk.com should be the email they are using to access Office 365.
- You must configure an Azure AD that the IdP has read access to. In the Azure AD, accounts must be searchable based on email addresses with the tenant's domain name (as per the example above, @hultbybruk.com), and an Azure AD attribute needs to contain the persistent ID configured for each user in Office 365.
- As mentioned earlier, users may use their Organisation ID to access Office 365. In order to do so, you must first set up an Organisation ID for that user. If you attempt to send an authentication transaction to a user who does not have Organisation ID set, you will get an error. For more details please see our Client Library or our REST API documentation, especially the sections concerning Organisation ID.
Integration steps
Once you have signed a contract to use Freja eID Azure IdP, follow these steps to complete the integration:
- Please provide the following to partnersupport@frejaeid.com:
- The name of your company (100 characters maximum)
- The logo of your company - ideally in SVG format, alternatively PNG, no larger than 1.5MB
- A brief description of your company in English and Swedish (500 characters maximum)
- The URL you wish to be displayed to users in Freja eID e.g. your website or login page
- Together with Verisec Freja eID AB support team, deploy the Azure Cloud machine image of the Freja eID Azure IdP within your tenant.
- Once you complete the deployment, send the IP address of the instance to partnersupport@frejaeid.com.
- Provide SSH (port 22) access to the instance, at least from Verisec Freja eID AB networks.
- Configure general TCP access on port 8443 to the IdP instance.
- Send the IP address or DNS name of the Azure AD instance within the tenant, alongside a Read Only account username and password to partnersupport@frejaeid.com.
- We will notify you when we have configured everything on our end. You will also receive the following parameters for PowerShell:
- LogOffUri
- LogOnUri
- IssuerUri
- SigningCert
Commands to execute
Connect-MsolService
Then enter username/password for a user with Administrator rights in the popup.
Note! In the commands below, space surrounding the '=' sign are important. Obviously, hultbybruk-azureidp.test.frejaeid.com should be replaced with something resembling the real customer and in prod.frejaeid.com domain we wiil fine tune this with the first live customer.
$DomainName = "hultbybruk.com"
$FederationBrandName = "Hultbybruk Freja eID Demo SAML 2.0 IDP"
$LogOffUri = "https://hultbybruk-azureidp.test.frejaeid.com:8443/idp/profile/SAML2/Redirect/SLO"
$LogOnUri = "https://hultbybruk-azureidp.test.frejaeid.com:8443/idp/profile/SAML2/POST/SSO"
$IssuerUri = "https://hultbybruk-azureidp.test.frejaeid.com"
$SigningCert = @"certificate"@
<ENTER> (to get back to the command prompt)
Set-MsolDomainAuthentication -Authentication Federated - DomainName $DomainName -FederationBrandName $FederationBrandName -SigningCertificate $SigningCert -LogOffUri $LogOffUri -IssuerURI $IssuerUri -PassiveLogOnUri $LogOnUri -PreferredAuthenticationProtocol SAMLP
Get-MsolDomain -DomainName $DomainName
The output of the command should show Federated as authentication - as opposed to Managed which is the default.
Name: hultbybruk.com
Status: Verified
Authentication: Federated
- LogOffUri
Verifying it works
To try whether federated authentication works:
- Go to https://www.office.com/
- Sign in - use your domain-based email as your username
- Scan the QR code or enter that email address (if on mobile)
- Approve the transaction in Freja eID
- You should be signed in to office 365