Hi,
I've integrated the STS on the secure proxy server with MIcrosoft Office 365. This solution is working for now, but I have a few questions.
- The STS defines a web service authentication scheme in the WAMUI. This has options of WS-Username and password digest, X.509 v3 certificate and another 3rd option. How does the X.509 v3 certificate option work? I can't find anything about this in the documentation.
- Do the rich clients like outlook directly call the STS? Or do they submit the credentials to Office 365 and Office 365 calls the STS? If they call directly, is there any way I can capture the SOAP packet or request that's hitting the STS?
I'm interested because I have the below requirement. I need to allow access to the STS only from rich clients that send a particular certificate across. If they don't send the certificate, that request has to be rejected. I am looking at 2 ways to do this.
1. Change the web service auth scheme to X.509 certificate auth scheme. This seems to achieve the scenario. But I think all it does is disambiguate the certificate for the username and if the username exists in the directory, it logs me in. It doesn't validate the signature in the certificate. Hence I need more information on how this option works!
2. If the outlook clients directly call the STS, I should theoretically able to have a SSLVerify statement that distinguishes these requests based on the user-agent coming in, in the httpd-ssl.conf of the SPS apache and have that verify against the ca cert of my choice. This seems a little bit more secure.
But ideal scenario would be to have a X.509 + Username password digest for the Web Service STS Auth scheme. Is that a possibility? Any suggestions would be welcome! Thank you!
Regards,
Anand.