Forum Discussion

JBlogs_314812's avatar
Icon for Nimbostratus rankNimbostratus
Mar 29, 2017

Securing Office 365 with APM as IdP

I'm evaluating using APM as a SAML identity provider for Office 365, but I'm struggling to find ways to effectively secure access as per my specification.


Windows/ Mac OS, only permit corporate devices.


Mobile, only permit via MDM solution (TBC).


I have implemented device based certificate checks with OCSP, which although a little clunky (cert checker service deployed via GPO) works well on Windows. On Mac OS I have the same check working for administrators in Safari; although the Office 2016 clients, I'm guessing implement a cut down browser for modern authentication redirection which seemingly doesn't support plug-ins.


User certificates don't seem appropriate here as it's the device I'm looking to validate, not the user. I considered whether anything could be done coupling user certs with client side SSO, to remove the login page, but I'm guessing failing to authenticate (on a non-corp device) with Kerberos would result in the browser prompting for credentials, allowing manual input of credentials?


Has anybody got any suggestions, or perhaps any examples? My current policy is getting quite complex.