Office 365 Federated - IdP Initiated

david 1 Reputation point
2021-07-01T18:22:58.723+00:00

Hi,

I've configured Office 365 as a SP with F5 BIG-IP as IdP Initiated. It is working well. When I access to F5, I can single sign-on to O365.

However, if I access to O365 instead of F5 for the first time, my browser is redirected to F5 for login. I would like to know if I can configure O365 as SP but I don't want my browser is redirected to F5 from O365 when my user is not logged.

When I've configured O365 as Federated, I always have to insert my user and password in F5.

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,383 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2021-07-02T17:35:46.983+00:00

    I think in your case it is supposed to work as you have described and it is by design. Let me explain you what I mean . As per your explanation I think you have I have you have mentioned that you have configured F5 BIG-IP device with Office 365 and Azure AD. As far as my understanding goes F5 BIG-IP devices can act as LB , Network gateway , web app proxy server, authentication proxy etc.

    It seems that you may have added F5 BIG-IP as an application on Azure AD . And when a user have to logon to F5 , they authenticate using their Office 365 credential and in this case Office 365 is also a multi tenant app federated with the Identity provider Azure AD .

    So when user will access Office 365 instead of F5 web app , your browser is redirected to F5 for login because F5 would be acting as authentication proxy .

    I am assuming as per details provided by you that you have setup F5 in such a way that users could logon with their Office 365 usernames. Since both Office 365 and F5 applications are federated and registered with same Identity authority which is Azure AD so both get the access token from same provider and can use the token for the authentication part .(Authorization part will still differ for both.) So when you logon to F5 directly using your Office 365 credentials , the F5 device checked the domain suffix for the user ID and finds that for this domain suffix , Azure AD is listed as identity provider within its configuration . So it acts as authentication proxy and internally sends the user request to Azure AD and acquires an access token and thus the user is able to logon using Office 365 Id on F5 . And now that user in this case already have a token cached by F5 from same Identity provider which is Azure AD so the user's access to Office 365 works as well using the same cached token which is already present in F5.

    As long as F5 is acting as an authentication proxy , you would always see the redirection. It is working by design and cannot be changed.

    Hope the information helps. If the details provided are useful , please do accept the post as answer. It may be possible that, my understanding of your environment is different and in that case I would request you to share any documentation or article that you may have followed for setup or details on how you set it up which can help me help you in a better way. Do let us know and we will be happy to help further.

    Thank you.
    Shashi