Forum Discussion

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Dec 06, 2017
Solved

ADFS and SSO for Exchange Online

I hope this is the right spot for this post...   We have Office 365 E3 in our environment, setup using ADFS.  All of our email is in Exchange Online.   Because of this - when a user opens up ...
Authentication
exchange
office 365
  • geoperkins's avatar
    geoperkins
    Mar 15, 2019

    Our organization was able to solve this problem and I documented the solution over on https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-sso-url-side-door-into-portalofficecom?forum=ADFS ("https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-...) Stephen Bell 

Nestori Syynimaa's avatar
Nestori Syynimaa
MVP
Dec 08, 2017

You can also alter the AD FS Claim Issuance Rules so that those devices  would be treated as externals (i.e. loggin in outside your internal network). That way they would be offered a login form instead of signing in automatically.

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Dec 27, 2017

I am not sure how I would do this -- do you have an example of where you can link me to?

 

Thanks

Steve

  • Stephen Bell's avatar
    Stephen Bell
    Iron Contributor
    Jan 12, 2018

    Still struggling with this one.  Anyone have any input?

     

    Thanks

    • Brian Reid's avatar
      Brian Reid
      MVP
      Jan 20, 2018
      Browsing to the OWA URL with the domain at the end is giving AAD a hint as to what domain to use. This redirects you to ADFS. As you have set ADFS to hit the external IP, I will.assume you are hitting the WAP endpoint. WAP does not (should not) proxy WIA auth, and should present a forms auth page to the user.

      You also said you removed the ADFS URL from local intranet zone, which means it should not do WIA either.

      Your standard user devices should hit a WIA endpoint on ADFS and the URL of ADFS should be in Local Intranet Zone. Your external devices should hit WAP and get proxied to ADFS and get Forms Auth. Your shared devices should not get the URL in Local Intranet, but should still hit ADFS internal IP (not via WAP), but as not a trusted endpoint should not seamless sign-on.
      • Stephen Bell's avatar
        Stephen Bell
        Iron Contributor
        Feb 05, 2018

        So if I am understanding this correctly - to make this work:

         

        Standard Devices - Have OWA URL in Local Intranet Zone, and hit the internal ADFS endpoint.  This should result in SSO

         

        My shared devices - Have OWA URL removed from Local Intranet Zone, and hit the internal ADFS endpoint.  This should result in forms based auth

         

        External devices - No OWA URL in Local Intranet Zone, hit WAP endpoint.  Should receive forms based auth.

         

        You mention that my WAP should not proxy WIA.  Would it be possilbe to proxy WIA?  If it were, where would I look to see if this is configured?

        Thanks

        Steve

Resources