Integrate Outlook Web Access

From idenprotect Knowledge Base
Jump to: navigation, search

If you have already completed the ADFS integration steps and want to set ADFS as a Service Provider. See the Authentication Portal Service Provider Configuration article

Introduction

Idenprotect Authentication can be used to provide access to Outlook Web Access (OWA) by integrating Exchange Server to use ADFS Claims Based Authentication with Idenprotect being used as the SAML Identity Provider.

These are the steps required to complete this integration.


Prerequisites

Installations of idenprotect Core Platform and idenprotect Authentication Portal. If you do not have these yet, see Quick Start Guide or In-Depth Guide for idenprotect Core Platform or Quick Start Guide or In-Depth Guide for idenprotect Authentication Portal

Installations of Exchange Server and ADFS Server.

Setup ADFS Integration with Exchange Server

On the ADFS Server, create Claim Rules for: Name ID, Windows Account, UPN, and Primary SID.

ADFS Claim Rule Name ID.png

ADFS Claim Rule Account Name.png

ADFS Claim Rule UPN.png

ADFS Claim Rule Primary SID.png

Setup a Relying Party Trust in ADFS

From the ADFS Management dialog, right-click the Relying Party Trusts menu option to select Add Relying Party Trust...

Relying Party Trust 1.png

Select the Relying Party Trust to be Claims aware.

Relying Party Trust 2.png

Enter the replying party data manually.

Relying Party Trust 3.png

Select Next until the Configure URL screen is shown. Enter the URL for the Exchange Server as https://<exchange host>/owa.

Relying Party Trust 4.png

Select Next for the other default values and Finish the Relying Party Trust for OWA.

Add Claims Issuance Policy for UPN and SID Claims

Setup SID Issuance Policy Custom Rule

From the new Relying Party Trust, right-click to select the Edit Claim Issuance Policy...

ADFS Claims Issuance Policy.png

Click on the Add Rule... button.

ADFS Claims Issuance Policy 1.png

Setup a Custom Rule

ADFS Claims Issuance Policy 2.png

Set the Rule Name, such as “Idenprotect-SID-ID”. The custom rule must be set to:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "https://demo.guide.com/idp"] => issue(store = "Active Directory", 
types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

ADFS Claims Issuance Policy 3.png

Note: demo.guide.com/idp is the hostname of the Idenprotect Authentication Portal

Setup UPN Issuance Policy Custom Rule

From the new Relying Party Trust, right-click to select the Edit Claim Issuance Policy...

Click on the Add Rule... button.

Setup a Custom Rule

Set the Rule Name, such as “Idenprotect-SID-ID”. The custom rule must be set to:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "https://demo.guide.com/idp"] => issue(store = "Active Directory", 
types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

ADFS Claims Issuance Policy 3 - UPN.png

Note: demo.guide.com/idp is the hostname of the Idenprotect Authentication Portal

Setup Exchange Server to use ADFS for Authentication

The following must be configured:

  1. Import Token Signing Certificate from ADFS to the Exchange Server.
  2. Setup ADFS to be used as the authenticator in Exchange.

Import Token Signing Certificate to Exchange

Go to the ADFS->Services->Certificates area and select the Token-Signing-Certificate.

Exchange Server Token Signing Certificate.png

Click on the View Certificate... link and you will be able to view the certificate and export it to a file.

Exchange Server Token Signing Certificate 1.png

Follow the export dialogs to export the certificate as a PEM or DER formatted crt file.

Go to the Exchange Server machine. The certificate file will be used to import it to the Exchange Server machine’s Trusted Root Certification Authority Certificate Store.

Open the Exchange Server’s mmc application. From start menu, type in mmc to open the tool. View the Computer Account certificates and import the certificate file to the Trusted Root Certificates Authorities store.

Exchange Server Token Signing Certificate 2.png

Setup ADFS to be used as the authenticator in Exchange

From the ADFS Server, open Powershell to retrieve information about the Token Signing Certificate that must be used to setup Exchange Server.

Open Powershell and enter the command: Get-AdfsCertificate –CertificateType token-signing

GetAdfsCertificate.png

Take a note of the Thumbprint displayed for the Token Signing Certificate.

On Exchange Server, open the Exchange Server Management shell console and run it as Administrator. This can be opened from the start menu.

Exchange Server Management Shell.png

Enter the command to set the ADFS Token Signing Certificate, using the thumbprint taken from the previous step.

Set-OrganizationConfig -AdfsIssuer https://adfs.example.com/adfs/ls/ -AdfsAudienceUris "https://exchg.example.com /owa/","https://exchg.example.com/ecp/" -AdfsSignCertificateThumbprint "9F60114F91209DDB8F68EE9A5BA9AE3A0E783BD7”

Exchange Server Management Shell 1.png

Note: enter the thumbprint hex code that is specific to your installation

Configure OWA Virtual Directory

On the same Exchange Server Management Shell, the Virtual Directory for OWA must be setup to use ADFS authentication. For this example, the Exchange Server is shown in the shell as “AMEXC01”.

Enter the command: Set-OwaVirtualDirectory -Identity "AMEXC01\owa (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Exchange Server Management Shell 2.png

Note: You can also set the ECP Virtual Directory to use ADFS authentication. Your specific exchange server location should be used for -Identity