Forum Discussion

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Dec 06, 2017
Solved

ADFS and SSO for Exchange Online

I hope this is the right spot for this post...   We have Office 365 E3 in our environment, setup using ADFS.  All of our email is in Exchange Online.   Because of this - when a user opens up ...
Authentication
exchange
office 365
  • geoperkins's avatar
    geoperkins
    Mar 15, 2019

    Our organization was able to solve this problem and I documented the solution over on https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-sso-url-side-door-into-portalofficecom?forum=ADFS ("https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-...) Stephen Bell 

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Jan 11, 2018

Still struggling with this one.  Anyone have any input?

 

Thanks

Brian Reid's avatar
Brian Reid
MVP
Jan 20, 2018
Browsing to the OWA URL with the domain at the end is giving AAD a hint as to what domain to use. This redirects you to ADFS. As you have set ADFS to hit the external IP, I will.assume you are hitting the WAP endpoint. WAP does not (should not) proxy WIA auth, and should present a forms auth page to the user.

You also said you removed the ADFS URL from local intranet zone, which means it should not do WIA either.

Your standard user devices should hit a WIA endpoint on ADFS and the URL of ADFS should be in Local Intranet Zone. Your external devices should hit WAP and get proxied to ADFS and get Forms Auth. Your shared devices should not get the URL in Local Intranet, but should still hit ADFS internal IP (not via WAP), but as not a trusted endpoint should not seamless sign-on.
  • Stephen Bell's avatar
    Stephen Bell
    Iron Contributor
    Feb 05, 2018

    So if I am understanding this correctly - to make this work:

     

    Standard Devices - Have OWA URL in Local Intranet Zone, and hit the internal ADFS endpoint.  This should result in SSO

     

    My shared devices - Have OWA URL removed from Local Intranet Zone, and hit the internal ADFS endpoint.  This should result in forms based auth

     

    External devices - No OWA URL in Local Intranet Zone, hit WAP endpoint.  Should receive forms based auth.

     

    You mention that my WAP should not proxy WIA.  Would it be possilbe to proxy WIA?  If it were, where would I look to see if this is configured?

    Thanks

    Steve

    • Brian Reid's avatar
      Brian Reid
      MVP
      Feb 14, 2018

      In the ADFS management console there is a setting to show what is published to the proxy. You cannot publish Windows Integrated to the internet though, and ADFS Global Authentication Policy allows Forms or Certificates externally and Forms, WIA or Certs internally

       

      Regards the above question, yes is the answer - but for "shared devices" you will only get Forms on the Intranet if you enable it as mentioned above.

       

      Also, for your shared devices - why not use the URL without the domain hint at the end (outlook.office.com only) and then Azure AD will ask them for their username.

       

      Brian

      • Stephen Bell's avatar
        Stephen Bell
        Iron Contributor
        Feb 14, 2018

        Ok - so I just re-added the DNS entry on my internal network to point the clients to the internal ADFS endpoint.  

         

        I verified that my shared device is resolving to the internal ADFS endpoint, browse to the generic URL https://outlook.office.com and it is still attempting SSO.

         

        Admittedly, ADFS for us has kind of been a set it and forget it implementation.  Where is the setting that shows what is published to the proxy?  I am in the management console, on my server 2012 R2 but I am not quite sure what I am looking for.  I am wondering if, when initially setting this up a few years back if we have something misconfigured.

         

        Thanks for the reply!

    • Anonymous's avatar
      Anonymous
      Feb 12, 2018

      Quick question, are these windows 10 devices? If yes, please have a look at:

      https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/

Resources