I'm building an ASP.NET web app that authenticates users with Windows Identity Foundation.
The organization has an on-premise ADFS STS. Their Office365 authenticates through Microsoft Federation Gateway with the on-premise STS. The new web app will also authenticate against the on-premise STS with WIF.
Can I establish silent single sign on between the new app and the Office365 environment? So the user will not have to log into Office365 once he is logged into the web app and vice versa.
Activate Single Sign-On for Office 365Log on to your AD Connect sync server and open Azure AD Connect. Click Change User Sign-in, then click Next. Continue clicking Next until you reach the “Enable single sign-on” page.
Office 365 SSO integration allows enterprise users to Single Sign-On into Office 365 account with a single username and password to access multiple Web and Software as a Service (SaaS) applications along with company resources.
This is a question that I have been asked often. Do I still need Active Directory Federation Services (ADFS) to authenticate Office 365 users with my on-premises Active Directory? The answer is: you might not need ADFS anymore!
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a component of Windows Server operating systems, it provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).
Yes, you should be able to accomplish this by federating your ASP.NET application with Office365 directly. As you probably already know, typically the way this works is you have Office365 synced to on prem AD, and you have a trust set up with the on-prem ADFS server. When you're signing in to your web application the user gets redirected to Office365 to type in their UPN (typically the email address). Office365 uses that to figure out which on-prem ADFS server to redirect you to.
If you're logging on from within the domain, you get authenticated right away via windows integrated auth. ADFS will redirect you back to Office365 to establish a session, and Office365 will log you in to the application itself. If you're outside of the domain, you'll need an ADFS external proxy set up. There, instead of windows integrated auth, this special ADFS proxy will prompt the user for corporate credentials, and then redirect back to Office365 in the same way as before.
Here's a nice whitepaper that explains all of this in more detail:
http://www.microsoft.com/download/en/details.aspx?id=28971
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With