Question on SAML authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-670698%22%20slang%3D%22en-US%22%3EQuestion%20on%20SAML%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-670698%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20our%20customer%20raised%20the%20below%20environment%20and%20raised%20couple%20of%20queries.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECurrent%20environment%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20AAD%20sync%20that%20syncs%20Office%20365%20proplus%20%2B%20AD%20attributes%20to%20Office%20365%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20MX%20is%20pointing%20to%20MIMEcast.%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20Mailboxes%20are%20currently%20hosted%20with%20Exchange%20on-prem%202013%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20Citrix%20NetScaler%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EPlan%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20Plans%20to%20deploy%20Exchange%20Hybrid.%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20Then%20move%20the%20mailboxes%20to%20EXO%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20Then%20completely%20decommission%20Hybrid%20and%20Keep%20an%20on-prem%20exchange%20for%20administrative%20tasks%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20MX%20is%20still%20going%20to%20MIMECast%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20How%20will%20the%20SAML%20authentication%20be%20handled%20from%20an%20outlook%20client%20on%20BYOD%20devices%20(phones%2C%20Tablets)%20and%20home%20PCs%3F%20Both%20internal%20and%20External.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20If%20they%20have%20a%20shared%20RDS%20server%20with%20Outlook%20installed%20will%20they%20still%20be%20able%20to%20access%20and%20use%20the%20service%20with%20same%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20If%20they%20were%20to%20use%20MFA%20-%20they%20will%20be%20required%20to%20use%20the%20application%20password%20-%20Can%20we%20have%20application%20password%20per%20online%20service%20or%20is%20it%20one%20password%20per%20user%20for%20all%20online%20service%3F%20%26nbsp%3BMeaning%20that%20there%20are%20scenarios%20where%20in%20SAML%20may%20not%20work%20on%20outlook%2C%20or%20RDS%20servers%20and%20it%20might%20require%20application%20password%2C%20In%20those%20scenarios%2C%20if%20we%20are%20forced%20to%20application%20password%2C%20is%20this%20same%20for%20one%20user%3F%20(%20For%20all%20the%20applications%20such%20as%20outlook%20client%2C%20RDS%20server%20etc%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20pointers%20would%20be%20of%20great%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-670698%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EQuestion%20on%20SAML%20authentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hi Community,

 

One of our customer raised the below environment and raised couple of queries.

 

Current environment

 

>> AAD sync that syncs Office 365 proplus + AD attributes to Office 365

>> MX is pointing to MIMEcast.

>> Mailboxes are currently hosted with Exchange on-prem 2013

>> Citrix NetScaler in place.

 

Plan

 

>> Plans to deploy Exchange Hybrid.

>> Then move the mailboxes to EXO

>> Then completely decommission Hybrid and Keep an on-prem exchange for administrative tasks

>> MX is still going to MIMECast

 

Questions:

 

1) How will the SAML authentication be handled from an outlook client on BYOD devices (phones, Tablets) and home PCs? Both internal and External.

 

2) If they have a shared RDS server with Outlook installed will they still be able to access and use the service with same security.

 

3) If they were to use MFA - they will be required to use the application password - Can we have application password per online service or is it one password per user for all online service?  Meaning that there are scenarios where in SAML may not work on outlook, or RDS servers and it might require application password, In those scenarios, if we are forced to application password, is this same for one user? ( For all the applications such as outlook client, RDS server etc )

 

Any pointers would be of great help.

 

Many thanks in advance. 

0 Replies