F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Jan 17, 2014

jnowlin,

 

Thrilled to see your post. It is certainly possible to provide the smooth experience that you're desiring by having users come in via single entry point(https://exh2013.yourcompany/com) and be seamlessly redirected/signed in to O365 mailbox.

 

I do have a demo environment setup where it works just like this. The flow is as follows:

 

I am not using ADFS for federation, I am using BIG-IP, but it's irrelevant for this purpose. I modified the Exchange APM policy to detect OWA requests(essentially branching out on fallback of agent "Client for MS Exchange". If it's OWA, I've setup federation between OWA APM-fronted virtual as SAML SP and my APM Federation virtual with a different policy as IDP(in your case, you can continue to use ADFS). The point is that when user comes in to the Exchange virtual, and APM determines that it's a browser, it will send user to their IDP for authentication. After the user authenticates, the IDP will send an assertion to APM, which will be consumed via SAML 2.0. In my use case, I have my APM that acts as IDP pass username and password(in encrypted format, of course) via SAML assertion. The Exchange virtual then does AD Query after validating SAML assertion and checks to see whether the user's mailbox is on-prem or in Office 365. If in Office 365, then it issues a redirect for the user to your customized Office 365 URL(like https://outlook/com/owa/yourcompany.com). That forces O365 to ask your IDP for an assertion - and as the user has already authenticated to the IDP just after hitting the Exchange virtual server, the assertion is seamlessly issued and user is logged in to Office 365 and sees their mailbox.

 

The challenge you might run into with ADFS is that I am not sure you can make ADFS pass the user's password via assertion, as authentication to ADFS is typically done via NTLM. In this case, you can attempt to setup Kerberos Constrained delegation for OWA, so that once APM receives a user-identity information via SAML, it can perform Kerberos-based delegated login to OWA without needing user's password.

 

I unfortunately do not have this documented in a pretty format yet, but if you need help, contact me via Messages with your email address and I will throw something together with my screenshots and possibly further logic explanation.

 

In summary - fear not, it can be done - and would love to help you get there. :)