Symantec Access Management

Hi,

I've integrated the STS on the secure proxy server with MIcrosoft Office 365. This solution is working for now, but I have a few questions.

- The STS defines a web service authentication scheme in the WAMUI. This has options of WS-Username and password digest, X.509 v3 certificate and another 3rd option. How does the X.509 v3 certificate option work? I can't find anything about this in the documentation.

- Do the rich clients like outlook directly call the STS? Or do they submit the credentials to Office 365 and Office 365 calls the STS? If they call directly, is there any way I can capture the SOAP packet or request that's hitting the STS?

I'm interested because I have the below requirement. I need to allow access to the STS only from rich clients that send a particular certificate across. If they don't send the certificate, that request has to be rejected. I am looking at 2 ways to do this.

1. Change the web service auth scheme to X.509 certificate auth scheme. This seems to achieve the scenario. But I think all it does is disambiguate the certificate for the username and if the username exists in the directory, it logs me in. It doesn't validate the signature in the certificate. Hence I need more information on how this option works!

2. If the outlook clients directly call the STS, I should theoretically able to have a SSLVerify statement that distinguishes these requests based on the user-agent coming in, in the httpd-ssl.conf of the SPS apache and have that verify against the ca cert of my choice. This seems a little bit more secure.

But ideal scenario would be to have a X.509 + Username password digest for the Web Service STS Auth scheme. Is that a possibility? Any suggestions would be welcome! Thank you!

Regards,

Anand.

Hi, Anand.

We certainly need more referenceable documents on how this integration works, such as flow diagrams.

There is an external article that answers some of your questions.

https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/adfs-deep-dive-primer/ 

I think your question is more with the outlook as a client.

Above article explains the different use cases depending on what the client is.

* Browser

* Lync

* Outlook

A question back to you.

"Change the web service auth scheme to X.509 certificate auth scheme. This seems to achieve the scenario."

So, did you mean that you were able to authenticate yourself on outlook using a certificate and sync emails?

Or, were you using a browser then?

Adding to Kim's update.

The STS defines a web service authentication scheme in the WAMUI. This has options of WS-Username and password digest, X.509 v3 certificate and another 3rd option. How does the X.509 v3 certificate option work? I can't find anything about this in the documentation.
--> WS Fed IP -> RP partnership automatically creates WSS auth scheme for STS end points. This configuration is not supposed to be changed manually.

Do the rich clients like outlook directly call the STS? Or do they submit the credentials to Office 365 and Office 365 calls the STS? If they call directly, is there any way I can capture the SOAP packet or request that's hitting the STS?
--> rich clients do directly call STS and it is possible to capture the SOAP packet using wireshark.

If the outlook clients directly call the STS, I should theoretically able to have a SSLVerify statement that distinguishes these requests based on the user-agent coming in, in the httpd-ssl.conf of the SPS apache and have that verify against the ca cert of my choice. This seems a little bit more secure.
--> There must be some Apache configuration to enable client cert auth configuration to few virtual hosts or specific URLs. Please refer to apache SSL documentation.

Thanks,

Sharan