Single sign on between ASP.NET app and Office365 with on-premise ADFS STS

Question

I'm building an ASP.NET web app that authenticates users with Windows Identity Foundation.

The organization has an on-premise ADFS STS. Their Office365 authenticates through Microsoft Federation Gateway with the on-premise STS. The new web app will also authenticate against the on-premise STS with WIF.

Can I establish silent single sign on between the new app and the Office365 environment? So the user will not have to log into Office365 once he is logged into the web app and vice versa.

Answer 1

Yes, you should be able to accomplish this by federating your ASP.NET application with Office365 directly. As you probably already know, typically the way this works is you have Office365 synced to on prem AD, and you have a trust set up with the on-prem ADFS server. When you're signing in to your web application the user gets redirected to Office365 to type in their UPN (typically the email address). Office365 uses that to figure out which on-prem ADFS server to redirect you to.

If you're logging on from within the domain, you get authenticated right away via windows integrated auth. ADFS will redirect you back to Office365 to establish a session, and Office365 will log you in to the application itself. If you're outside of the domain, you'll need an ADFS external proxy set up. There, instead of windows integrated auth, this special ADFS proxy will prompt the user for corporate credentials, and then redirect back to Office365 in the same way as before.

Here's a nice whitepaper that explains all of this in more detail:

http://www.microsoft.com/download/en/details.aspx?id=28971