I've implemented F5 APM federated (SAML) Office 365 for our students using the Office 365 iApp in our university, and we're so happy with how it's working that we're keen to investigate the hybridisation of our on premises exchange org (used exclusively for staff) with a new office 365 tenancy, again using F5 for the federation/ saml aspects of the architecture. So far I've been focussing on getting to grips with the ADFS method of implementation (4 ADFS servers? Overkill much?) and I think I can see where F5 is going to be able to take over those roles. All my reading is leaving me a little confusd though, can I completely remove the need for ADFS servers in a Exchange 2010/office 365 hybrid deployment? Or is there still going to be a requirement for internal ADFS servers? It would be great to hear about that particular topology, and if it's possible. I think it is, but I'd really appreciate hearing back from F5 or any other customers who have gone down this route. Cheers - Gavin Connell-Otten - Victoria University, NZ
Short answer; YES! You can replace your ADFS servers entirely with the Big-IP and SAML for Office 365. This enables SSO for your users regardless of whether they are accessing resources on-premise, (Exchange, SharePoint, etc.) or hosted on O365. In a hybrid scenario, you will be able to migrate your Exchange users up to office 365 at your pace without negatively affecting the user experience. Or, you can maintain users in both locations with a single namespace. There is one exception that we are currently engaging with Microsoft. Currently we don't support SSO with Lync mobile clients and O365 using the BIG-IP as the Idp. All other clients, (OWA, Outlook Anywhere, ActiveSync, etc.) work well with our solution and alleviates the need for ADFS servers.
Leveraging BIG-IP APM for hybrid deployment is almost no different than in cloud-only. In hybdrid deployment, autodiscover points to the on-premise CAS, and that it directs users to configure their mail clients with on-prem or off-prem destination. So, you ActiveSync and OA users should be all set. For OWA, the elegant set-up would be to allow everyone to come to a single on-prem URL and authenticate. Once you authenticate the user, you can do AD Query to find out where their mailbox lives and redirect them to outlook.com domain if their mailbox lives in the cloud.
There will be one caveat where you'd need to make adjustment to the Exchange deployment - you will need to disable Access policy on the free/busy requests that come inbound from the cloud user. Will post that info a bit later - need to lookup the exact URI being used.
Hi Michael, Did you ever find that URL? or have any further info on this?
We've been trying to implement it and have either broken EAS or Free/Busy in the process, we can't seem to get both working.
Did you implement the iRule on page 77 of the Deployment Guide?
This should solve your Free/Busy problem. If not, please share a bit more details on your exact deployment.
No, no i have not. That doesn't appear to be in the older deployment guide I used. The exchange guys are testing it tomorrow so i'll let you know how it goes.
I was hoping you'd say that. Sorry for spamming each of your articles by the way, just eager to get the answers! Documentation seemed to point that direction, I just wanted to get full confirmation before advising my organisation that we could proceed with a pilot. Any plans on adjusting the iApp deployment doc to include mention of deployment in a hybrid environment? It would be really useful to have it written in black and white, "No need for ADFS" :) I get that you wouldn't document how to set up Exchange of course, but it would be of some assurance to have at least a 'tip of the hat' to that backdrop? We're happy without Lync for the time being, so that's not a set back for us. We don't use it currently, so no loss there...
I'll be documenting the entire design and implementation, leading to a pilot. Any interest in collaborating a little? This could make a really useful dev central article...
Thanks a lot Michael, I've emailed you with some further details, and I should get approval to put together a pilot at some point this week, so I'll be really keen on getting that info on making the OWA experience a little more graceful. The standard MS autodiscover redirection seems to be a little clumsy... :/
I realize this is an old thread, but I'm adding this for the benefit of anyone else that runs across this when researching this option.
While the BIG-IP SAML solution does work for Outlook and Office365 web app authentication, it does not work for Lync or any of the other Office apps. If you want Excel or Word to use Office365 SharePoint resources, you still need ADFS.
I'm in this same boat Scott. Microsoft are promising SAML 2.0 compliance for Lync, OneDrive, Mobile Office, etc, etc by the end of the year. Fingers crossed they come through!