A bit ot-ish, but I thought I'd try. I've got a customer who's interested in setting up Federation (ADFS) to achieve SSO with O365. However they also want two factor authN.
I'm wondering what the options are. I've found that the following are possible:
* ADFS proxy with custom development
And I also thought that TMG is possible. See also http://blog.auth360.net/2011/06/02/o365-and-tmg/
Now how about opening documents using the "fat office applications". E.g. you log on to SharePoint online, log on after being redirected to your TMG, and open a document using MS Word. Will the nasty pop appear? Or will SSO work? Or is this just dependent on how you configure TMG? If the popup appears, will you be able to logon?
Anyone did something like this before?
OT: O365 & Strong Authentication (ADFS + X)
- 886 Views
- Last Post 23 August 2012
Since TMG is included with UAG by default you will have to take additional steps to separate those (I am not implying that it is possible or easy to do, have not tried that). I do not know if TMG comes as a separate install either. So for our purposes we can treat them as one.
It is possible to open a word document without being re-prompted. Some configurations, timeouts, etc... may cause a re-prompt. I have set up ADFS part of that configuration and had a small part in setting up UAG as well, but do not have all technical details.
Global Service Manager - Identity Management Services | MCD / IT Foundation
2111 McDonald's Drive | Oak Brook, IL 60523
(o) +1 630.623.2571| (m) +1 847.687.6809
tony.gordon at us.mcd.com<mailto:ed.gorski@xxxxxxxxxxxxxxxx>
Email Dana at Authanvil.
As he's got solutions (and the softtoken on the iphone works extremely
well for my two factor needs at my small office)
Shameless plug - I'm a happy customer of his on premise two factor
solutions. He's got cloud solutions ready to go.
On 8/23/2012 7:58 AM, Thomas Vuylsteke wrote:
> Hey all,
> A bit ot-ish, but I thought I’d try. I’ve got a customer who’s
> interested in setting up Federation (ADFS) to achieve SSO with O365.
> However they also want two factor authN.
> I’m wondering what the options are. I’ve found that the following are
> ·ADFS proxy with custom development
> And I also thought that TMG is possible. See also
> Now how about opening documents using the “fat office applications”.
> E.g. you log on to SharePoint online, log on after being redirected to
> your TMG, and open a document using MS Word. Will the nasty pop
> appear? Or will SSO work? Or is this just dependent on how you
> configure TMG? If the popup appears, will you be able to logon?
> Anyone did something like this before?
> Kind regards,
We're looking at chaining a Shibboleth IdP in front of ADFS, so that our Office 365 users could get the benefits of Shib and ADFS. Among other things, our Shib IdP supports step-up 2 factor authN. Put another way, the Shib IdP is a claims provider to ADFS. ADFS then has O365 as a relying party.
We have not yet looked closely at the active/rich client interaction when in such a configuration, but that's at the top of our list for exploration. Exchange/Sharepoint rich clients have a slightly different interaction than Lync rich clients, although we probably won't explore the Lync interaction at this time.
You can do this kind of chaining with any SAML based claims provider, including custom written ones. Joe Kaplan gave a presentation at TEC this year talking about how at Accenture they are using multiple custom STSes with ADFS, including an open source 2 factor one. His presentation (and one given by David Mowers) talked about all the customizations they've made to their ADFS infrastructure, and is a good introduction to what's possible.