Forum Discussion

Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Sep 28, 2017

Office 365 SAML idp and Outlook 2016 solution?

Does anyone know when F5 expect the Office 365 SAML idp endpoint to support thick client Outlook 2016 authentication for federated domains?   https://f5.com/solutions/deployment-guides/microsoft-o...
application delivery
BIG-IP Access Policy Manager (APM)
saml
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Oct 03, 2017

    This was due to a federation issue. You need to wait 24-48 hours after de-federating from ADFS before you federate to F5 idp.

     

Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Oct 03, 2017

This was due to a federation issue. You need to wait 24-48 hours after de-federating from ADFS before you federate to F5 idp.

 

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Oct 03, 2017

    Hi Kevin, good to hear you found a solution. Could you help me and try something out for me. I have also deployed the F5 APM to fully replace ADFS and everything seems to be working fine. There is only one issue with shared licenses in a non persistent VDI environment and I'm not sure if the problem is within my F5 APM configuration or within Office 365/Azure. I'm trying to validate my setup using the Microsoft connectivity test, but I'm not sure if this test is reliable. Could you run a test on your setup and share your results?

    What I do is:

    In my setup it fails with the following messages:

    An error was found in the domain registration.
Additional Details
The Metadata Exchange URL in the domain registration isn't valid. URL:
Elapsed Time: 1 ms.

    We have set the metadataexchangeuri, so I wonder if I can ignore this error. I would like to know if your setup shows the similar error messages.

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 03, 2017

    I am unable to do this as we had to revert to ADFS. Another script we use to map drives to sharepoint is heavily dependant on ADFS.. it actually scrapes information from ADFS webpages! So I am adapting that at the moment, only 3000 lines of powershell 8-|

    But I recall the metadata exchange URL didn't change for us as well. The federation command does not seem to affect this URL at all. I believe you have to manually set this yourself using ...

    Set-MsolDomainFederationsettings -DomainName  -MetadataExchangeUri
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 03, 2017

    Please note i have updated the comment above, the MetadataExhangeUri has nothing to do with SAML exported meta data. It is not needed in a SAML environment so you can delete it. Try setting it to "" to clear it.

     

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Oct 03, 2017

    Too bad you had to revert to ADFS, but thanks for your help. I too think the MetadataExchangeUri is not applicable to the SAML setup. In the connectivity check Azure is not sending the MetadataExchangeUri at all (while it is set). In the traces you can see . So I suspect we better ignore the Microsoft connectivity check.

     

    Good luck with the 3000 lines of powershell :-)