Symantec Access Management

Expand all | Collapse all

Can I protect STS with X.509 Auth scheme?

Jump to Best Answer
  • 1.  Can I protect STS with X.509 Auth scheme?

    Posted 08-31-2016 12:05 PM

    Hi,

     

    I need to enable Office 365 partnership with the below caveats.

     

    - passive profile should be protected by two factor RSA auth scheme - simple enough. I protect redirect.jsp with the RSA auth scheme

     

    - Active profile, Outlook and Lync should be able to connect only from a machine that has a particular certificate installed. So I need the STS to be able to deny requests if a particular certificate isn't present.

     

    Is the second requirement possible?

     

    Regards,

    Anand.



  • 2.  Re: Can I protect STS with X.509 Auth scheme?

    Posted 09-02-2016 11:26 AM

    Hi Anand,

     

    STS can only process ws-username token and IWA token sent by Office 365 clients.
    STS has two end points. One end point ws-username can authenticate the rich client using ws-username token and the other end-point windows transport can authenticate the rich client using IWA token.
    When ws-fed IP -> RP partnership is created, the above two end points are already protected internally.

     

    Hence we cant use X.509 Auth scheme with STS.

    Hope this helps.

     

    Thanks,

    Sharan



  • 3.  Re: Can I protect STS with X.509 Auth scheme?

    Posted 09-02-2016 01:50 PM

    Thank you Sharana

     

    Is there any other way I can implement this? I need the users to be able to use outlook and Lync only from specific computers. They are issued a certificate on their AD account. Is there any other way I can use this certificate for verification?

     

    Something in the proxy rules perhaps?

     

    Regards,

    Anand.



  • 4.  Re: Can I protect STS with X.509 Auth scheme?
    Best Answer

    Posted 09-06-2016 02:55 PM

    Hi Anand,

     

    As I mentioned, STS has end points only for basic authentication and IWA. I think you can rather configure office 365 rich clients to use passive profile instead of active profile.
    This can be achieved in Office 365 rich clients using recent feature ADAL. So, if passive profile's redirect jsp is protected with cert auth, rich client's ADAL browser can pop up for user x509 client certificate.
    But active profile supports only basic authentication and IWA.

     

    Please check below link for ADAL.
    https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

     

    Thanks,

    Sharan