Documentation


Updated January 4, 2021

Enable multi-factor authentication (MFA) and single sign-on (SSO) access via claims-based authentication and WS-Federation to Microsoft Outlook Web Access (OWA) 2016. 

Prerequisites

  • Microsoft OWA 2016 installed on a server
  • SecureAuth® Identity Platform (formerly SecureAuth IdP) version 9.3 or later, with a realm created for the OWA 2016 configuration
  • Download and unzip the WSFedSignOut.zip file. You will need these files in Step B.


Step A: Identity Platform Classic configuration

Make the following configuration settings in the Identity Platform Classic Web Admin.  

  1. Select the Data tab.
  2. In the Profile Fields section, map the userPrincipalName to a Property, for example, Email 2
  3. Save your changes. 
  4. Select the Post Authentication tab.
  5. In the Post Authentication section, set the Authenticated User Redirect to WS-Federation Assertion
    The Redirect To field is auto-populated with the URL (Authorizted/WSFedProvider.aspx) that appends to the domain name and realm number in the browser address bar. 
  6. In the User ID Mapping section, set the following: 

    User ID MappingSet to the mapped directory property containing the userPrincipalName field. For example, Email 2
    Name ID FormatSet to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    Encode to Base64Set to False

  7. In the SAML Assertion / WS Federation section, set the following: 

    WSFed/SAML Issuer

    Set with the Fully Qualified Domain Name (FQDN) of the Identity Platform appliance and the OWA integration realm number. 

    For example,  https://secureauth.company.com/secureauth2. 

    SAML Audience

    Set to the base domain of the application.

    For example, https://mail.companyname.com/owa/

    Signing Cert Serial NumberLeave as is with the default value. Otherwise, click Select Certificate to use a third-party certificate for the SAML assertion. 

  8. In the SAML Attributes / WS Federation section for Attribute 1, set the following: 

    NameSet to UPN.
    Namespace (1.1)Set to  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn .
    ValueSet to the property to which the userPrincipalName field was mapped. For example, Email 2

  9. Save your changes. 
  10. In the Forms Auth / SSO Token section, to optionally configure the token/cookie settings and realm for single sign-on (SSO), click the View and Configure FormsAuth keys/SSO token link. 

    For optional configurations, see the following guides:

  11. Save your changes. 


Step B: Update the Identity Platform appliance

  1. Find the contents of the WSFedSignOut.zip file.
  2. In the bin directory for the OWA realm, replace the existing SecureAuthIdentityModel.dll file with updated .dll file.
  3. Replace the existing WSFedSignOut.aspx.vb and WSFedSignOut.aspx with the updated files.


Step C: Set up ADFS authentication

Set up ADFS authentication using the code in the block below as an example:

$ecpUrl="https://mail.company.com/ecp/"
$owaUrl="https://mail.company.com/owa/"
$uris="@($ecpUrl,$owaUrl)"
$saURL="https://company.com/secureauth9"
$saCert="E3FE6A933D8154A13T3BFE381F99ABBF58812EF1"
#thumbprint of SA Signing Cert or thumprint of ADFS signing cert#

Set-OrganizationConfig
-ADFSIssuer $saURL -AdfsSignCertificateThumbprints $sacert -AdfsAudienceUris
$uris

Get-EcpVirtualDirectory |
Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false
-DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication
$false #-LiveIdAuthentication $false

Get-OwaVirtualDirectory |
Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false
-DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication
$false #-LiveIdAuthentication $false


Step D: Outlook Web Access configuration

Using the URL Rewrite tool, make the following configurations to redirect URLs to the Identity Platform. 

URL Rewrite - Logout Rule 1

  1. In the Match URL section, set the following: 

    Requested URLSet to Matches the Pattern.
    UsingSet to Regular Expressions.
    PatternSet to ^owa/logoff\.owa$ 
    Ignore caseSelect this check box.

  2. In the Action section, set the following: 

    Action typeSet to Redirect
    Redirect URLSet to https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
    Append query stringSelect this check box. 
    Redirect typeSet to Permanent (301).


URL Rewrite - Logout Rule 2

  1. In the Match URL section, set the following: 

    Requested URLSet to Matches the Pattern.
    UsingSet to Regular Expressions.
    PatternSet to ^owa/auth/logoff\.owa$ 
    Ignore caseSelect this check box.

  2. In the Action section, set the following: 

    Action typeSet to Redirect
    Redirect URLSet to https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
    Append query stringSelect this check box. 
    Redirect typeSet to Permanent (301).


Enhanced Client or Proxy (ECP) URL Rewrite - Logout Rule 1

  1. In the Match URL section, set the following: 

    Requested URLSet to Matches the Pattern.
    UsingSet to Wildcards.
    PatternSet to *logoff.aspx*  
    Ignore caseSelect this check box.

  2. In the Action section, set the following: 

    Action typeSet to Redirect
    Redirect URLSet to https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
    Append query stringSelect this check box. 
    Redirect typeSet to Permanent (301).


Enhanced Client or Proxy (ECP) URL Rewrite - Logout Rule 2

  1. In the Match URL section, set the following: 

    Requested URLSet to Matches the Pattern.
    UsingSet to Wildcards.
    PatternSet to *auth/logoff.aspx*  
    Ignore caseSelect this check box.

  2. In the Action section, set the following: 

    Action typeSet to Redirect
    Redirect URLSet to https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
    Append query stringSelect this check box. 
    Redirect typeSet to Permanent (301).


Known issues

There might be issues if the code pasted from the certificate window into thumbprint=""  , replacing the content between the quotation marks.

This issue shows up in the Event Viewer, as Error 1003, MSExchange Front End HTTP Proxy - ID4175.

To resolve this issue, delete the entire thumbprint, including the quotation marks. Manually retype the thumbprint value, including the quotation marks. To learn more see this article about thumbprint values.

If the code is copied from a PDF or some other format, it could include line breaks in the web.config, which breaks functionality.

Manually remove any line breaks on all code if not copying directly from this web page.


Tips and warnings

Set up the Identity Platform workflows as they normally would be.

To use the Windows Desktop SSO, the WindowsSSO.aspx must be set and coded as the default document to keep the referral string.

If Desktop SSO is redirecting external users to another realm, you will need code to strip out "?403;https://<SecureAuth-FQDN>/SAOWARealm" .  To learn more about enabling Windows Desktop SSO for the Identity Platform realms, see Windows desktop SSO configuration.

Be sure to include the trailing slash "/" when setting URLs in the web.config files and the Identity Platform.


  • No labels