F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

jnowlin_44976's avatar
jnowlin_44976
Icon for Nimbostratus rankNimbostratus
Jan 17, 2014

SSO for ADFS and EX2013 OWA

i have an exchange 2013 \ office 365 hybrid deployment. as users are migrated i have a mix of on-premise users (ex2013) and office 365 users. As yall know, MS does not make the sign on experience for this environment very user friendly. on-premise accounts have to know to sign into ex2013 OWA and O365 users have to know to sign into MS sign in page as well as the second adfs prompt.

 

i have setup the ex2013 iapp for ex2013 owa and the SSO works. now is there a way to use F5 to pre-authenticate users and direct them (with SSO) to either O365 or ex2013? i have seen the example Mr. Greg Coward created for SSO to adfs but the post is missing alot of the details in the APM rules.

 

thanks

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
devops
iApps
iRules
security

1 Reply

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 17, 2014

    jnowlin,

     

    Thrilled to see your post. It is certainly possible to provide the smooth experience that you're desiring by having users come in via single entry point(https://exh2013.yourcompany/com) and be seamlessly redirected/signed in to O365 mailbox.

     

    I do have a demo environment setup where it works just like this. The flow is as follows:

     

    I am not using ADFS for federation, I am using BIG-IP, but it's irrelevant for this purpose. I modified the Exchange APM policy to detect OWA requests(essentially branching out on fallback of agent "Client for MS Exchange". If it's OWA, I've setup federation between OWA APM-fronted virtual as SAML SP and my APM Federation virtual with a different policy as IDP(in your case, you can continue to use ADFS). The point is that when user comes in to the Exchange virtual, and APM determines that it's a browser, it will send user to their IDP for authentication. After the user authenticates, the IDP will send an assertion to APM, which will be consumed via SAML 2.0. In my use case, I have my APM that acts as IDP pass username and password(in encrypted format, of course) via SAML assertion. The Exchange virtual then does AD Query after validating SAML assertion and checks to see whether the user's mailbox is on-prem or in Office 365. If in Office 365, then it issues a redirect for the user to your customized Office 365 URL(like https://outlook/com/owa/yourcompany.com). That forces O365 to ask your IDP for an assertion - and as the user has already authenticated to the IDP just after hitting the Exchange virtual server, the assertion is seamlessly issued and user is logged in to Office 365 and sees their mailbox.

     

    The challenge you might run into with ADFS is that I am not sure you can make ADFS pass the user's password via assertion, as authentication to ADFS is typically done via NTLM. In this case, you can attempt to setup Kerberos Constrained delegation for OWA, so that once APM receives a user-identity information via SAML, it can perform Kerberos-based delegated login to OWA without needing user's password.

     

    I unfortunately do not have this documented in a pretty format yet, but if you need help, contact me via Messages with your email address and I will throw something together with my screenshots and possibly further logic explanation.

     

    In summary - fear not, it can be done - and would love to help you get there. :)