Office365 Exchange protocols with APM and SAML

Question

Hi all,&nbsp;
We'd like to know which of the Office365 Exchange protocols are supported with SAML.&nbsp;
We've got extensive experience with deploying on premises Exchange with APM, and know that SAML will work for the browser based functionality like OWA and ECP, but what about the other protocols like Activesync, EWS, OAB and Office Anywhere?&nbsp;
Regards,
MiLK_MaN&nbsp;

michael_koyfma1 · Answer

Have you seen the deployment guide?  https://devcentral.f5.com/wiki/iapp.BIG-IP-APM-as-SAML-2-0-IdP-for-Microsoft-Office-365.ashx&nbsp;
It works with all Exchange protocols that you named above.&nbsp;

michael_koyfman · Answer

Have you seen the deployment guide?  https://devcentral.f5.com/wiki/iapp.BIG-IP-APM-as-SAML-2-0-IdP-for-Microsoft-Office-365.ashx&nbsp;
It works with all Exchange protocols that you named above.&nbsp;

milk_man · Answer

Hi Michael,
Thanks for the info.
Yep, we've read that document. What we are trying to understand at this point, when discussing with the customer about how this solution will work, is what is happening under the covers to make this work.
If you take Activesync as an example, we all know it only supports Client certificate and Basic authentication. So how can SAML work in this case? I can only assume that what is happening under the covers is that Office365 is acting as a "SAML broker" by contacting the SAML iDP on behalf of the client who can't fulfil a 302 redirect request.
Can you confirm that this is the case? And if so, are you aware of any Microsoft documentation that describes this process.
Regards,
MiLK_MaN --- who used to idolise you as a F5 PS resource :)

milk_man · Answer

Hi Michael,
Thanks for the info.
Yep, we've read that document. What we are trying to understand at this point, when discussing with the customer about how this solution will work, is what is happening under the covers to make this work.
If you take Activesync as an example, we all know it only supports Client certificate and Basic authentication. So how can SAML work in this case? I can only assume that what is happening under the covers is that Office365 is acting as a "SAML broker" by contacting the SAML iDP on behalf of the client who can't fulfil a 302 redirect request.
Can you confirm that this is the case? And if so, are you aware of any Microsoft documentation that describes this process.
Regards,
MiLK_MaN --- who used to idolise you as a F5 PS resource :)

michael_koyfma1 · Answer

Ah..... now that rings a bell.  &nbsp;
The flow is fairly simple - OutlookAnywhere are using Basic Auth to connect to Office 365.  When those credentials are presented to O365, it suspends the connections and makes SAML ECP-based AuthN request(SOAP-wrapped AuthN request) to the IDP.  The IDP authenticates the user(the user's Basic credentials are passed to the IDP) and return a SAML assertion response - if it is positive, the O365 allows the connection to go through to the backend and allow access to that user's account.&nbsp;
I've seen an old doc from Microsoft that described that flow, but I can't find it now..... Let me know if you really need it and I can dig it up.&nbsp;

Forum Discussion

Office365 Exchange protocols with APM and SAML

9 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Intelligent Proxy Steering - Office365

SSL protocol mismatch

BIG-IP BGP Routing Protocol Configuration And Use Cases

Intelligent Proxy Steering - Office365

Proxy Protocol Initiator