Symantec Access Management

Hi,

I need to enable Office 365 partnership with the below caveats.

- passive profile should be protected by two factor RSA auth scheme - simple enough. I protect redirect.jsp with the RSA auth scheme

- Active profile, Outlook and Lync should be able to connect only from a machine that has a particular certificate installed. So I need the STS to be able to deny requests if a particular certificate isn't present.

Is the second requirement possible?

Regards,

Anand.

Hi Anand,

STS can only process ws-username token and IWA token sent by Office 365 clients.
STS has two end points. One end point ws-username can authenticate the rich client using ws-username token and the other end-point windows transport can authenticate the rich client using IWA token.
When ws-fed IP -> RP partnership is created, the above two end points are already protected internally.

Hence we cant use X.509 Auth scheme with STS.

Hope this helps.

Thanks,

Sharan

Thank you Sharana

Is there any other way I can implement this? I need the users to be able to use outlook and Lync only from specific computers. They are issued a certificate on their AD account. Is there any other way I can use this certificate for verification?

Something in the proxy rules perhaps?

Regards,

Anand.

Hi Anand,

As I mentioned, STS has end points only for basic authentication and IWA. I think you can rather configure office 365 rich clients to use passive profile instead of active profile.
This can be achieved in Office 365 rich clients using recent feature ADAL. So, if passive profile's redirect jsp is protected with cert auth, rich client's ADAL browser can pop up for user x509 client certificate.
But active profile supports only basic authentication and IWA.

Please check below link for ADAL.
https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

Thanks,

Sharan