Forum Discussion
AltocumulusDo I have F5 APM SAML with Office 365 actually running?
Hello guys:
Please, could you help me with the following matter that I need to clarify to my boss?
I deployed F5 APM SAML with Office 365 cloud and it works good apparently. The F5 APM is working as an Identity Provider (IdP) and I did NOT configure anything in the Service Provider (SP) tab in the path: Access ›› Federation : SAML Service Provider : Local SP Services. In fact, the Office 365 cloud might be the SP. As you may know, I am offering the SAML resource in the Advanced Resource Assignment agent besides other resources like Network Access and Portal Access. However, every time the user click on the SAML resource, he or she is redirected to www.office.com and get access to the whole suite of Office 365. It seems like SAML and its SSO are working fine, BUT my boss is reluctant to believe that this deployment is indeed a trustworthy mechanism of security. My boss argues that if the user is redirected to www.office.com by clicking on the SAML, the APM is just offering a webtop link with SSO and no more. In that case, says my boss, the user might prefer just writing www.office.com in the browser and get access bypassing the APM. The goal that we need to achieve is making the users access Office 365 cloud only and only if they are logged in the APM. The users will not be allowed to enter Office directly (by tipping www.office.com), they need to go across the APM. How could we achieve that deployment? Do I need to do something in the Office 365 or Azure AD to only allow access after the SAML Assertions sent by the APM are successfully received?
Thank you very much for your kind help.
Jorge
Hi Jorge,
If correctly setup, this will happen when a user goes directly to www.office.com.
- User browses to www.office.com.
- www.office.com asks for the users e-mail address.
- User submits e-mail address.
- Based on the domain www.offfice.com will redirect the browser to the configured IDP (F5 APM).
- User authenticates to the IDP (F5 APM).
- After successful authentication browser gets redirected to www.office.com and has access to offfice resources.
You can use browsers plugins like 'SAML Tracer' to confirm that SAML is working correctly.
Jorge_ManyaHello Niels:
Thank you very much for your kind answer.
I understand the process, but how could I tell www.office.com to redirect the browser to the IdP (APM)? Currently, the users are being redirected to the ADFS server, but I would like them to go to the APM every time they try to access www.office.com directly. In other words, I want to get rid of such ADFS and I need the users use the APM site. I followed the guide located here https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf and issued the commands on page 12. Did I miss something? Do I need to make changes in the Office 365 tenant to tell it that the new IdP is the APM and it needs to redirect the users to such IdP? I see SAML is working fine when the assertions sent by APM are successfully accepted by the SP (Office 365)
Again, so many thanks.
Hi Jorge,
Yes, the command on page 13:
Set-MsolDomainAuthentication –DomainName $dom –FederationBrandName $FedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
should point to the F5 APM IDP virtual server. If this is set correctly, the SP (office.com) should redirec the user to the APM IDP when the user needs to authenticate first.
