IBM Security Verify

Hi Everyone,

We're using Verify SaaS. We're trying to configure WS-Federation SSO to Outlook Web Access **on-premise** using the Microsoft 365 app with the following settings:

* In ISV, create a new Microsoft 365 application.
* Set Sign-on method to: WS-Federation
* Set Provider ID to: https://mail.domain.com/owa/
* Set the WS-Federation end point of the application to: https://mail.domain.com/owa
* Set Signature Options > Signature algorithm to: SHA1
* Set Signature Options > Signature Certificate to: Default personal certificate
* Set SAML subject > Name identifier to: upn
* Set Attribute Mapping > Attribute > UPN to: upn
* Set Attribute Mapping > Attribute > ImmutableID: {custom AD attribute}

We're getting a redirect loop between ISV and OWA. Responses from OWA is 302 Found form POST with wct, wctx and wresult form fields.

Has anyone been able to get OWA connected with ISV?




------------------------------
Timothy Dilbert
------------------------------

Hi Timothy,

The WS-Federation SSO in ISV currently is supported for Microsoft 365 application, it's not yet available for custom application like OWA, probably you'll need to submit RFE if you need custom application support of WS-Federation SSO.

Best Regards

Chen Yongming

------------------------------
Yongming Chen
------------------------------

Original Message:
Sent: Tue August 24, 2021 02:06 PM
From: Timothy Dilbert
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Everyone,

We're using Verify SaaS. We're trying to configure WS-Federation SSO to Outlook Web Access **on-premise** using the Microsoft 365 app with the following settings:

* In ISV, create a new Microsoft 365 application.
* Set Sign-on method to: WS-Federation
* Set Provider ID to: https://mail.domain.com/owa/
* Set the WS-Federation end point of the application to: https://mail.domain.com/owa
* Set Signature Options > Signature algorithm to: SHA1
* Set Signature Options > Signature Certificate to: Default personal certificate
* Set SAML subject > Name identifier to: upn
* Set Attribute Mapping > Attribute > UPN to: upn
* Set Attribute Mapping > Attribute > ImmutableID: {custom AD attribute}

We're getting a redirect loop between ISV and OWA. Responses from OWA is 302 Found form POST with wct, wctx and wresult form fields.

Has anyone been able to get OWA connected with ISV?




------------------------------
Timothy Dilbert
------------------------------

Hi Timothy, Chen,

It is hard to believe that integrating with a player like Microsoft makes us face some IBM bureaucraty.
I didn't know the same issue existed on the SaaS version.
On this purpose, I filled a RFE for a proper ISV/Azure federation integration beacause i face a similar issue (WS-Federation needed by Azure) with the virtual appliance version.
https://ibmsecurity.ideas.ibm.com/ideas/ISAM-I-1021

Hope this will be considered as an issue and will be fixed very fast for a smooth integration.

Best regards

------------------------------
Nicolas Karageuzian
------------------------------

Original Message:
Sent: Fri August 27, 2021 07:50 AM
From: Yongming Chen
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Timothy,

The WS-Federation SSO in ISV currently is supported for Microsoft 365 application, it's not yet available for custom application like OWA, probably you'll need to submit RFE if you need custom application support of WS-Federation SSO.

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Tue August 24, 2021 02:06 PM
From: Timothy Dilbert
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Everyone,

We're using Verify SaaS. We're trying to configure WS-Federation SSO to Outlook Web Access **on-premise** using the Microsoft 365 app with the following settings:

* In ISV, create a new Microsoft 365 application.
* Set Sign-on method to: WS-Federation
* Set Provider ID to: https://mail.domain.com/owa/
* Set the WS-Federation end point of the application to: https://mail.domain.com/owa
* Set Signature Options > Signature algorithm to: SHA1
* Set Signature Options > Signature Certificate to: Default personal certificate
* Set SAML subject > Name identifier to: upn
* Set Attribute Mapping > Attribute > UPN to: upn
* Set Attribute Mapping > Attribute > ImmutableID: {custom AD attribute}

We're getting a redirect loop between ISV and OWA. Responses from OWA is 302 Found form POST with wct, wctx and wresult form fields.

Has anyone been able to get OWA connected with ISV?




------------------------------
Timothy Dilbert
------------------------------

If anyone else runs into this issue, we were able to figure out a way to do this using IBM Security and ADFS. Kindly see a link to an article on our website explaining how this is done, including links to a GitHub repo detailing all of the steps:

https://www.bmt.ky/protect-owa-using-ibm-security-verify/

------------------------------
Timothy
------------------------------

Original Message:
Sent: Mon September 27, 2021 03:52 AM
From: Nicolas Karageuzian
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Timothy, Chen,

It is hard to believe that integrating with a player like Microsoft makes us face some IBM bureaucraty.
I didn't know the same issue existed on the SaaS version.
On this purpose, I filled a RFE for a proper ISV/Azure federation integration beacause i face a similar issue (WS-Federation needed by Azure) with the virtual appliance version.
https://ibmsecurity.ideas.ibm.com/ideas/ISAM-I-1021

Hope this will be considered as an issue and will be fixed very fast for a smooth integration.

Best regards

------------------------------
Nicolas Karageuzian

Original Message:
Sent: Fri August 27, 2021 07:50 AM
From: Yongming Chen
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Timothy,

The WS-Federation SSO in ISV currently is supported for Microsoft 365 application, it's not yet available for custom application like OWA, probably you'll need to submit RFE if you need custom application support of WS-Federation SSO.

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Tue August 24, 2021 02:06 PM
From: Timothy Dilbert
Subject: Enabling SSO on Outlook Web Access via IBM Security Verify WS-Federation

Hi Everyone,

We're using Verify SaaS. We're trying to configure WS-Federation SSO to Outlook Web Access **on-premise** using the Microsoft 365 app with the following settings:

* In ISV, create a new Microsoft 365 application.
* Set Sign-on method to: WS-Federation
* Set Provider ID to: https://mail.domain.com/owa/
* Set the WS-Federation end point of the application to: https://mail.domain.com/owa
* Set Signature Options > Signature algorithm to: SHA1
* Set Signature Options > Signature Certificate to: Default personal certificate
* Set SAML subject > Name identifier to: upn
* Set Attribute Mapping > Attribute > UPN to: upn
* Set Attribute Mapping > Attribute > ImmutableID: {custom AD attribute}

We're getting a redirect loop between ISV and OWA. Responses from OWA is 302 Found form POST with wct, wctx and wresult form fields.

Has anyone been able to get OWA connected with ISV?




------------------------------
Timothy Dilbert
------------------------------