VMware Workspace ONE Community
VirtualSven
Hot Shot
Hot Shot
‎03-22-2016 06:23 AM

SSO Office 365 apps and keep excisting Office365/ADFS federation?

I have the following challenge:

I have Office 365 federated with ADFS. When users want to login to the Office 365 portal or Outlook WebAccess, they are redirected to the ADFS login portal. Then the users can login with their Active Directory credentials and are then redirected back to Office 365 portal or OWA. This works fine. Now I have implemented Identity Manager and want to add OWA and Office 365 portal webapp to the Identity Manager portal so users can single sign on to the Office 365 applications. When I read the integration documentation, I can do this by federating Office 365 to Identity Manager. When users want to login to the Office 365 web applications, they are then redirected to the Identity Manager login interface. I don't want that. I want to keep the excisting authentication for Office 365 (through ADFS) and I want to enable SSO for users that are accessing Office 365 webapps through Identity manager. Is this possible? Anyone with experience with this?

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
Tags (2)
0 Kudos
3 Replies
pbjork
VMware Employee
VMware Employee
‎03-22-2016 11:17 AM

This is an interesting case.. VMware Identity Manager is quite flexible. It can both be a IdP or a SP.. So in theory you could chose to have ADFS as the IdP into VMware Identity Manager. Or you could potentially configure VMware Identity Manager as the IdP into ADFS (but this requires ADFS to support third-party IdP, which I don't know if they do). AFAIK, O365 only supports one 3-party IdP. So you must chose which one, either ADFS or VMware Identity Manager..

But VMware Identity Manager supports native application SSO as well as the web versions of O365. So why do you not want to use VMware Identity Manager for everything?

0 Kudos
VirtualSven
Hot Shot
Hot Shot
‎03-23-2016 02:36 AM

I don't want VMware Identity Manager for everything because this is for our demo environment where we showcase different solutions to our customers, I don't want Identity Manager to show up in every demo (well, I don't mind, but my colleagues do ;-)). For other use cases, where a customer has an active Office365 environment with ADFS as IdP and they want to test VMware Identity Manager in a Proof of Concept, I don't want to change the way O365 is currently working but I do want to show SSO with O365 apps from the Identity Manager portal.

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
0 Kudos
pbjork
VMware Employee
VMware Employee
‎03-23-2016 02:43 AM

Well, unfortunately this is all limited by the fact Office 365 (or Azure AD) cannot have more than one 3-party IdP.. So for a POC / Demo you would have to deploy a new test tenant within Office 365 which is using VMware Identity Manager as the IdP.

There is other SaaS based applications that might prove much easier to setup multiple different IdP:s against, but I understand if O365 is your main focus. O365 is very popular and common nowadays.

0 Kudos