Forum Discussion

MiLK_MaN's avatar
MiLK_MaN
Icon for Nimbostratus rankNimbostratus
Nov 12, 2014

Office365 Exchange protocols with APM and SAML

Hi all,

 

We'd like to know which of the Office365 Exchange protocols are supported with SAML.

 

We've got extensive experience with deploying on premises Exchange with APM, and know that SAML will work for the browser based functionality like OWA and ECP, but what about the other protocols like Activesync, EWS, OAB and Office Anywhere?

 

Regards, MiLK_MaN

 

    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Hi Michael, Thanks for the info. Yep, we've read that document. What we are trying to understand at this point, when discussing with the customer about how this solution will work, is what is happening under the covers to make this work. If you take Activesync as an example, we all know it only supports Client certificate and Basic authentication. So how can SAML work in this case? I can only assume that what is happening under the covers is that Office365 is acting as a "SAML broker" by contacting the SAML iDP on behalf of the client who can't fulfil a 302 redirect request. Can you confirm that this is the case? And if so, are you aware of any Microsoft documentation that describes this process. Regards, MiLK_MaN --- who used to idolise you as a F5 PS resource :)
    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Hi Michael, Thanks for the info. Yep, we've read that document. What we are trying to understand at this point, when discussing with the customer about how this solution will work, is what is happening under the covers to make this work. If you take Activesync as an example, we all know it only supports Client certificate and Basic authentication. So how can SAML work in this case? I can only assume that what is happening under the covers is that Office365 is acting as a "SAML broker" by contacting the SAML iDP on behalf of the client who can't fulfil a 302 redirect request. Can you confirm that this is the case? And if so, are you aware of any Microsoft documentation that describes this process. Regards, MiLK_MaN --- who used to idolise you as a F5 PS resource :)
  • Ah..... now that rings a bell.

     

    The flow is fairly simple - OutlookAnywhere are using Basic Auth to connect to Office 365. When those credentials are presented to O365, it suspends the connections and makes SAML ECP-based AuthN request(SOAP-wrapped AuthN request) to the IDP. The IDP authenticates the user(the user's Basic credentials are passed to the IDP) and return a SAML assertion response - if it is positive, the O365 allows the connection to go through to the backend and allow access to that user's account.

     

    I've seen an old doc from Microsoft that described that flow, but I can't find it now..... Let me know if you really need it and I can dig it up.

     

    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Thanks mate, always super helpful. This will be enough for us to talk it through with the customer and get it going easily.
  • Ah..... now that rings a bell.

     

    The flow is fairly simple - OutlookAnywhere are using Basic Auth to connect to Office 365. When those credentials are presented to O365, it suspends the connections and makes SAML ECP-based AuthN request(SOAP-wrapped AuthN request) to the IDP. The IDP authenticates the user(the user's Basic credentials are passed to the IDP) and return a SAML assertion response - if it is positive, the O365 allows the connection to go through to the backend and allow access to that user's account.

     

    I've seen an old doc from Microsoft that described that flow, but I can't find it now..... Let me know if you really need it and I can dig it up.

     

    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Thanks mate, always super helpful. This will be enough for us to talk it through with the customer and get it going easily.