question

david-9097 avatar image
0 Votes"
david-9097 asked shashishailaj commented

Office 365 Federated - IdP Initiated

Hi,

I've configured Office 365 as a SP with F5 BIG-IP as IdP Initiated. It is working well. When I access to F5, I can single sign-on to O365.

However, if I access to O365 instead of F5 for the first time, my browser is redirected to F5 for login. I would like to know if I can configure O365 as SP but I don't want my browser is redirected to F5 from O365 when my user is not logged.

When I've configured O365 as Federated, I always have to insert my user and password in F5.

Thanks.

azure-active-directoryazure-ad-authentication-protocols
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@david-9097
As tag "office-deployment" focus more on general issues of Office deployment, but your issue is more realted to Identity Provider and Microsoft Azure, I would modify the tag. Hope it could help you. Thanks for your understanding.

0 Votes 0 ·

Hi Emily,

Thanks. I'll wait for answers.

Regards!

0 Votes 0 ·

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered shashishailaj commented

I think in your case it is supposed to work as you have described and it is by design. Let me explain you what I mean . As per your explanation I think you have I have you have mentioned that you have configured F5 BIG-IP device with Office 365 and Azure AD. As far as my understanding goes F5 BIG-IP devices can act as LB , Network gateway , web app proxy server, authentication proxy etc.

It seems that you may have added F5 BIG-IP as an application on Azure AD . And when a user have to logon to F5 , they authenticate using their Office 365 credential and in this case Office 365 is also a multi tenant app federated with the Identity provider Azure AD .

So when user will access Office 365 instead of F5 web app , your browser is redirected to F5 for login because F5 would be acting as authentication proxy .

I am assuming as per details provided by you that you have setup F5 in such a way that users could logon with their Office 365 usernames. Since both Office 365 and F5 applications are federated and registered with same Identity authority which is Azure AD so both get the access token from same provider and can use the token for the authentication part .(Authorization part will still differ for both.) So when you logon to F5 directly using your Office 365 credentials , the F5 device checked the domain suffix for the user ID and finds that for this domain suffix , Azure AD is listed as identity provider within its configuration . So it acts as authentication proxy and internally sends the user request to Azure AD and acquires an access token and thus the user is able to logon using Office 365 Id on F5 . And now that user in this case already have a token cached by F5 from same Identity provider which is Azure AD so the user's access to Office 365 works as well using the same cached token which is already present in F5.

As long as F5 is acting as an authentication proxy , you would always see the redirection. It is working by design and cannot be changed.

Hope the information helps. If the details provided are useful , please do accept the post as answer. It may be possible that, my understanding of your environment is different and in that case I would request you to share any documentation or article that you may have followed for setup or details on how you set it up which can help me help you in a better way. Do let us know and we will be happy to help further.

Thank you.
Shashi

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Shashi,

You are right. F5 is acting as an authentication proxy.

I was wondering if O365 could be Federated and Managed at the same time or I could configure something else to allow authentication from O365 directly without redirection to F5.

Thanks, best regards.

0 Votes 0 ·

@david-9097 ,

No same verified domain name on Office 365 cannot be federated and managed at the same time. One domain can either be federated or be managed but not both at any given point of time. In your network architecture F5 is acting as authentication proxy so the redirection will always happen to F5. If you use F5 as a web application proxy where you would not logon to F5 using the Office 365 credentials then you would be able
to achieve what you want and have no redirection to F5 but I don't think you mean to do that . Does logon to F5 portal makes applications other than O465 like VPN , etc available to users ? If yes , then you can not make any existing change as far as I can think and this will remain as it is from a security point of view. I understand its not the answer you want but i think its as per available technical design and cannot be changed. Hope that clarification helps. Should you still have any queries , please do let us know and we will e happy to help further.

Thank you.

0 Votes 0 ·