using a third party identity provider with Office 365
https://stackoverflow.com/questions/5802985
-
24-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
we are currently using an inhouse SSO solution, using 2-factor authentication, that generates SAML to allow SSO to google apps and salesforce. We are looking to allow support for Office 365.
I am looking at all the documentation for Office 365 and from what i see, it uses SAML, but only if provided by an ADFS.
Would it be possible to use Office 365 with a pure SAML solution? Or is it possible to use ADFS with another identity provider (so not an Active Directory).
I have seen a sample with Tivoli IP, but i do not quite understand the roles, if I understand it all correctly, it actually defers the actual authentication from ADFS to Tivoli, but is that correct? If that would be true, that would be nice :)
Aside of that, from my google-expedition I can see the following options to use our own SSO solution with Office 365:
- adapt the login page from ADFS (aspx) and add our 2fa solution there. (source)
- use Forefront UAG, but not sure what that exactly means (source)
- use a service that pretends to behave as ADFS (source --in the comments)
- use SAML to federate the authentication (if I understand correctly) (source)
From 3. i would conclude that 4. is not possible, but is that just old information and now no longer valid?
Thank you for any helpful insights :)
해결책
Technically speaking, there is nothing about Office 365 that requires ADFS. SSO can be done w/ any federation server that can send the right type of messages and tokens. (I know because I've done it.) If your SSO solution emits the proper type of data, you can use it. There might be Microsoft SLA and support issues w/ using a federation server other than ADFS. Check that first. If you do want to reuse your existing federation infrastructure and need help, shoot me a note.
다른 팁
Just make sure that the SAML solution supports both passive and active profile (ECP). Passive profile is required for web based sign-in. The active/ECP is required to support thick clients like Outlook, Thunderbird, etc. We've gotten both profiles to work.
