Exchange 2013 SP1: OWA native support for ADFS!
It's been a long time coming but we finally have native support for ADFS authentication for OWA and ECP. Native means no more hacking away at the web.config , messing with fedutil etc.. etc..
It's all built into two commands:
-Set-OrganizationConfig --> set the token signing cert, ADFS issuer and AudienceURIs
-Set-EcpVirtualDirectory and Set-OWAVirtualDirectory -AdfsAuthentication
See https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx for more details
spat
Comments
Anonymous
May 18, 2014
Hi, Is it possible to have multiple ADFS issuer ? I'm working on a Exchange 2013 multi-tenant environement. Thanks !Anonymous
June 11, 2014
No you can't. But you could setup a hub and federate IDPs to the hub.Anonymous
October 08, 2014
I can successfully authenticate to our ECP site with ADFS 3.0 and see the the Admin Page. Unfortunately almost immediately Exchange kicks me out and the URL timeoutlogout.aspx. ADFS then tries to login me back in but that starts a loop and eventually ADFS say's stop. Throws a Event 365 Error Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '5' seconds.Anonymous
October 08, 2014
I can successfully authenticate to our ECP site with ADFS 3.0 and see the the Admin Page. Unfortunately almost immediately Exchange kicks me out and the URL timeoutlogout.aspx. ADFS then tries to login me back in but that starts a loop and eventually ADFS say's stop. Throws a Event 365 Error Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '5' seconds.Anonymous
June 11, 2015
Too bad it doesn't work if OWA is using SSL offloading. When SSL is offloaded then Exchange stupidly puts "http" in the wtrealm parameter instead of "https" and Microsoft cleverly offers no setting to correct this idiotic behaviour.