Forum Discussion
NimbostratusSSO for Office 365 Webmail
Hi All,
I've recently built a hybridized Exchange environment and I'm carrying out a pilot of the service before committing to it fully. I'm using the Office 365 SAML iApp for authentication, and its works a charm.
One thing I'm missing from the architecture though, is an integrated SSO option for users on my domain. I would like users to connect to a resource (say a virtual server) get evaluated for a kerberos token, and if it exists, pass this through to my SAML token generating config on the APM and automatically sign them in without them needing to enter credentials.
I figure the same access policy could steer non kerberos enabled clients to the SAML APM login page for standard processing. Does anyone have any experience of setting this up? Is there a guide anywhere? This has to be a common use case now I would have thought... I have some experience of using 401 challenge response and kerberos AAA config in APM, but I'm not an expert.
I believe that ADFS offers the functionality for Office 365 deployments, so if we're committing to the APM product for Office 365 federation, it would be great if it could match the full ADFS feature set.
All comments and help greatly appreciated :)
Gavin
5 Replies
Andrew_HuskingCirrus
We've not used office 365 webmail, but are using the other apps.
We've used this as a base and modified it slightly from there.
https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication.U0XqLvm1bYh
Regards
Gavin_Connell-OThanks Andrew, I'll give it a read :)
- Gavin_Connell-O
Hi all,
In the end I decided to go with client side kerberos, in front of the SAML access policy provided by the Office 365 iApp. Works a treat (except with Firefox, which insists on choosing the first option configured on the 401 challenge object which is basic...)
If anyone has any questions on this, I'm happy to help.
Cheers,
Gavin Connell-Otten
Peter_124960Hi Gavin, wauw this looks very good and I think we will have to do similar. Did you use the Office365 iApp in the end? Furthermore we'd like to use the same logon session to authenticate other websites in the backend (kerberos for IIS, or SAML for ADFS-enabled sites and even shibboleth-enabled external sources from the library). Later we'd like the option to add strong-factor where needed. Should I start thinking about one big access policy, or should it be split up? Thanks in advance and regards, Peter- Oz_201205Hi Gavin, thanks a lot for sharing your experience ...i was wondering if you could share the FixUPN irule in your VPE....our UPN is not the same as the one in Azure AD and i am in need to modify this variable ...thanks a lot in advance.
