Documentation

 

Introduction

Enable Multi-Factor Authentication and Single Sign-on (SSO) access via claims-based authentication and WS-Federation to Microsoft Outlook Web Access (OWA) 2016. An OWA 2016 integration is not required.

See Outlook Web Access (OWA) 2013 SP1 & 2016 Integration Guide or Outlook Web Access (OWA) 2010 Integration Guide for OWA integrations.

 


Prerequisites

  • Microsoft OWA 2016 installed on a server.
  • SecureAuth IdP v9.3 with a realm created for the OWA 2016 configuration and the Overview, Data, Workflow, and Multi-Factor Methods tabs configured prior to configuring the Post Authentication tab.
  • Download and unzip the WSFedSignOut.zip file. You will work with this content in Step D.

 


Step A: Configure Windows Identity Foundation (WIF)

Windows Identity Foundation (WIF), a Microsoft framework for building identity-aware applications, is a core component in this installation and must be installed on the SecureAuth IdP server (if it hasn't already been installed).

1. To install WIF on the SecureAuth IdP server, download WIF from Microsoft's Download Center.

2. Install the update and perform an IISRESET on the appliance.

 


Step B: Integrate Exchange 2016 with ADFS server

NOTE

To prevent new users from being prompted to set their language or timezone, or from receiving errors after doing so, integrate Exchange 2016 with the ADFS server prior to configuring OWA for use with SecureAuth IdP.


Step C: Configure SecureAuth IdP Web Admin

Data tab

Profile Fields section

1. Map the userPrincipalName to a SecureAuth IdP Property – example: Email 2.

2. Click Save.

Post Authentication tab

Post Authentication section

3. Select WS-Federation Assertion from the Authenticated User Redirect dropdown. This action auto-populates the Redirect To field with a URL that appends to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx).

User ID Mapping section

4. Select the SecureAuth IdP Property that corresponds to the directory field containing the userPrincipalName (Email 2).

5. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default).

6. Select False from the Encode to Base64 dropdown.

SAML Assertion / WS Federation section

7. Set the WSFed/SAML Issuer to https://SecureAuthIdPFQDN/SecureAuthIdPRealm#/ , replacing these values with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance and the OWA integration realm number.

For example: https://secureauth.company.com/secureauth2

8. Set the SAML Audience to https://mail.companyname.com/owa/ , replacing "mail.companyname.com" with the actual DNS value.

No configuration is required for the WSFed Reply To/SAML Target URL, SAML Consumer URL, SAML Recipient, or SP Start URL fields.

9. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion.

If using a third-party certificate, click Select Certificate and choose the appropriate certificate.

10. Set the Name of Attribute 1 to "UPN".

11. Set the Namespace (1.1) to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn".

12. Select Email 2 (or the field that contains the userPrincipalName) from the Value dropdown.

The Value here and the User ID Mapping selections will be the same.

13. Click Save.

Forms Auth / SSO Token section

14. OPTIONAL: Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for SSO.


Optional configurations

See Configure token or cookie settings to configure this realm's token / cookie settings.

See SecureAuth IdP Single Sign-on (SSO) Configuration Guide to configure this realm for SSO.

See Windows desktop SSO configuration to configure this realm for Windows Desktop SSO.


Step D: Update the SecureAuth IdP appliance

1. Find the contents of the WSFedSignOut.zip file.

2. Find the realm's bin directory and replace the current SecureAuthIdentityModel.dll file with updated .dll file.

2. Replace current WSFedSignOut.aspx.vb and WSFedSignOut.aspx with the updated files.

 


Step E: Set up ADFS authentication

1. Set up ADFS authentication using the code in the block below as an example:

$ecpUrl="https://mail.company.com/ecp/"
$owaUrl="https://mail.company.com/owa/"
$uris="@($ecpUrl,$owaUrl)"
$saURL="https://company.com/secureauth9"
$saCert="E3FE6A933D8154A13T3BFE381F99ABBF58812EF1"
#thumbprint of SA Signing Cert or thumprint of ADFS signing cert#

Set-OrganizationConfig
-ADFSIssuer $saURL -AdfsSignCertificateThumbprints $sacert -AdfsAudienceUris
$uris

Get-EcpVirtualDirectory |
Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false
-DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication
$false #-LiveIdAuthentication $false

Get-OwaVirtualDirectory |
Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false
-DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication
$false #-LiveIdAuthentication $false

 


Step F: Configure Outlook Web Access

URL Rewrite - Logout Rule 1

Match URL section

1. Select "Matches the Pattern" from Requested URL dropdown.
2. Select "Regular Expressions" from Using dropdown.
3. Type/paste ^owa/logoff\.owa$ in the Pattern text box.
4. Check the Ignore Case box.

Action section

5. Select "Redirect" from the Action Type dropdown.
6. Type/paste in Redirect URL text box: https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
7. Check the Append Query String box.
8. Select "Permanent (301)" from Redirect Type dropdown.

URL Rewrite - Logout Rule 2

Match URL section

9. Select "Matches the Pattern" from Requested URL dropdown.
10. Select "Regular Expressions" from Using dropdown.
11. Type/paste ^owa/auth/logoff\.aspx$ in the Pattern text box.
12. Check the Ignore Case box.

Action section

13. Select "Redirect" from the Action Type dropdown.
14. Type/paste in Redirect URL text box: https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
15. Check the Append Query String box.
16. Select "Permanent (301)" from Redirect Type dropdown.

Enhanced Client or Proxy (ECP) URL Rewrite - Logout Rule 1

Match URL section

17. Select "Matches the Pattern" from Requested URL dropdown.
18. Select "Wildcards" from Using dropdown.
19. Type/paste *logoff.aspx* in the Pattern text box.
20. Check the Ignore Case box.

Action section

21. Select "Redirect" from the Action Type dropdown.
22. Type/paste in Redirect URL text box: https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
23. Check the Append Query String box.
24. Select "Permanent (301)" from Redirect Type dropdown.

Enhanced Client or Proxy (ECP) URL Rewrite - Logout Rule 2

Match URL section

25. Select "Matches the Pattern" from Requested URL dropdown.
26. Select "Wildcards" from Using dropdown.
27. Type/paste *auth/logoff* in the Pattern text box.
28. Check the Ignore Case box.

Action section

29. Select "Redirect" from the Action Type dropdown.
30. Type/paste in Redirect URL text box: https://company.com/secureauth9/wsfedsignout.aspx?wa=wsignout1.0&wreply=https://mail.company.com/owa/?wa=wsignoutcleanup1.0
31. Check the Append Query String box.
32. Select "Permanent (301)" from Redirect Type dropdown.


Known issues

If the code from the certificate window was pasted into thumbprint="", replacing the content within the quotation marks, there may be issues. The quotation marks may also need to be deleted and retyped as those additional characters still exist within the string. In the Event Viewer, an Error 1003, MSExchange Front End HTTP Proxy - ID4175 will be present if this is the issue. To resolve, delete the entire thumbprint, including the quotation marks, and retype the quotes and thumbprint value manually. For more information, click here.

If code content was copied from a PDF or other format, be aware that line breaks may be put into the web.config, breaking functionality. Line breaks need to be removed manually on all code if not copying directly from this webpage.

 


Tips and warnings

Set up SecureAuth IdP workflows as they normally would be. To utilize Windows Desktop SSO, WindowsSSO.aspx will need to be set as the default document and coded to retain the referral string. If Desktop SSO will be redirecting external users to another realm, the secureauth.aspx.vb page in that realm will need code that strips out the "?403;https://<SecureAuth-FQDN>/SAOWARealm". Refer to Windows desktop SSO configuration for more information on enabling Windows Desktop SSO for SecureAuth IdP realms.

When setting URLs in the web.config files and SecureAuth IdP, it is essential to be consistent and not forget something as simple as a trailing slash "/".