Understanding Single Sign-On with Hybrid Deployments


Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Single sign-on enables users to access both the on-premises and Microsoft Office 365 organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools. Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway.

Although not a requirement for hybrid deployments, we strongly recommend deploying single sign-on in your on-premises organization to make the account authentication experience seamless and familiar for your users. In addition to users not having to sign in multiple times and having to remember additional passwords when accessing the Office 365 organization, single sign-on also offers the following benefits:

  • Exchange Online Archiving   When single sign-on is deployed in Exchange 2010 organizations, on-premises Microsoft Outlook users are prompted for their credentials when accessing archived content in the Exchange Online organization for the first time. However, users can then temporarily avoid future credential prompting by choosing “save password” and then will only be prompted for credentials again when their on-premises account password is changed. If single sign-on isn’t deployed in Exchange 2013 organizations and Exchange Online Archiving is enabled, the on-premises user principal name (UPN) must match their Exchange Online account and users will always be prompted for their on-premises credentials when accessing their archive.

  • Policy control   The administrator can control account policies through Active Directory, which gives the administrator the ability to manage password policies, workstation restrictions, lock-out controls, and more, without having to perform additional tasks in the cloud.

  • Access control   The administrator can restrict access to Office 365 so that the services can be accessed through the corporate environment, through online servers, or both.

  • Reduced support calls   Forgotten passwords are a common source of support calls in all companies. If users have fewer passwords to remember, they are less likely to forget them.

  • Security   User identities and information are protected because all the servers and services used in single sign-on are administered and controlled on-premises.

  • Support for strong authentication   You can use strong authentication (also called two-factor authentication) with Office 365. However, if you use strong authentication, you must use single sign-on. There are restrictions on the use of strong authentication. For more information, see Configuring Advanced Options for AD FS 2.0 and Office 365.

Learn more at: Prepare for single sign-on

 © 2010 Microsoft Corporation. All rights reserved.