Hideez Authentication Service (EN)
  • Hideez Authentication Service for Enterprises
    • Release notes
    • Key features of the Hideez Authentication Service in 5 minutes
  • Quick Start Guides
    • Hideez Authenticator Mobile app guide
    • Hideez Key guide
    • Passkey guide
    • FIDO Security Key guide
      • Activation FIDO key and setting PIN code
    • Quick Start Guide for subscriptions
      • Hideez Security Key
      • Hideez Authenticator App
      • Passkeys
    • Guide for Hideez Enterprise Server on Cloud
      • Passkeys
      • Mobile app
      • Hideez Key
  • Use cases
    • Hideez Authenticator Mobile App
      • Passwordless PC login
      • Password-based PC login
      • SSO login to Webservises (FIDO2) via mobile app
        • Using Hideez Authenticator as your passwordless authentication method for SSO
      • Using Hideez Authenticator as your two-factor authentication method for SSO
      • OTP generation by Hideez Authenticator App for 2FA
      • RDP login by Hideez Authenticator App
      • Remote PC lock
    • Hideez Key
      • Proximity Lock
      • Proximity Unlock
        • Unlock PC by Hideez Dongle Touch (Tap-and-Go)
      • Proximity settings (guide for admin)
      • Automatic RDP Launch and Logon
      • Password manager and OTP generator
      • OTP manager for two-factor authentication
    • FIDO Security Key
      • SSO login to Web Servises via Hardware Key (FIDO2)
      • Passwordless PC Login to Entra ID (Azure AD).
      • Using Hideez Key as U2F security key for your two-factor authentication
      • Other vendors' hardware keys
    • Passkey
      • SSO login to Web Services (FIDO2) via Passkey and Hideez Server as Identity Provider
    • Emergency blocking of all computers
    • Employee's account disabling
  • Hideez Enterprise Server
    • Hideez Enterprise Server
    • Glossary
    • Hideez Server Architecture
    • Deployment
      • Database installation
        • MySQL on Windows
        • MySQL on Linux
        • Microsoft SQL Server on Windows
        • Microsoft SQL Server on Linux
      • HES deployment
        • Windows
        • Linux
        • Docker
        • Deployment without Internet access
        • Troubleshooting
      • HES update
        • Windows
        • Linux
        • Docker
      • Publishing on-premises HES for remote users
    • Administration
      • How to change the password for an administrator account?
      • How to recover a forgotten admin password?
      • Adding an admin account
      • Deleting an admin account
      • How to enable two-factor authentication at the Hideez Enterprise Server?
      • Authorization on the HES server via a FIDO key
      • Platform authentication on the HES server
      • Connecting Linux server to Active Directory
      • Setting Hideez Server parameters
      • Configuring DNS server
      • Setting up a Proxy for Mobile App Access to HES
      • How to create and set Hideez Key Access Profiles
      • How to manage companies and departments?
      • How to manage Positions?
      • Enable load balancing
      • Data Protection
    • Dashboard
      • Information about the server
      • Information about employees
      • Information about devices
      • Workstations Information
    • Employees
      • How to add an Employee?
      • Employees management
      • Employee management with Active Directory
    • Workstations
      • How to add and approve Workstations?
      • Workstations management
      • Workstation Profiles
      • Use Proximity Unlock Workstations
    • Hardware Vaults
      • How to add Hideez Key into the Server
      • Assign a key to the user
      • Remove the key from the Employee
      • Set a profile for a Hardware Vault
      • How to see an RFID code on the Employee key?
    • Accounts
      • Creating personal employee accounts
      • Creating shared employee accounts
      • Personal account management
      • Shared account management
      • Accounts backup and restore
      • How to work with the account template?
    • Keys Management
      • Keys Statuses
      • Transition to Reserved status
      • Keys Activation mechanism
      • Cancel issuance of Hideez Key (Reserved -> Ready)
      • Transition to Suspended status
      • Transition to Locked status
      • Transition to Deactivated status
      • Transition to Compromised status
      • Removing the Locked status
      • Wipe procedure
      • Delete key from Hideez Server
    • Audit
      • Workstation events
      • Workstation Sessions
      • Summaries
    • Single Sign On settings
      • How to get employee licenses
      • Enabling Single Sign-On (SSO) for Employees
      • User settings
    • Configuring SAML Protocol
    • Configuration OIDC (OpenID Connect)
  • Hideez Server Integration
    • Microsoft Entra ID
      • Import and Sync Users from Entra ID
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
    • Active Directory (On-Premises)
      • Import and Sync Users from Active Directory (On-Premises)
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
        • Active Directory (On-Premises) Access and Rights Delegation
    • SAML integration
      • ASA AnyConnect VPN
      • Citrix services
      • Fortinet services
      • GitHub Enterprise
      • GitLab on premises
      • Google Workspace
      • Microsoft Exchange for Authentication via SAML
        • ADFS Installation
      • Okta
      • Oracle Business Intelligence Enterprise Edition (OBIEE)
        • Step 1: Configure the Identity Provider — Hideez Enterprise Server (HES)
        • Step 2: Configure the Service Provider — Oracle Access Manager (OAM)
        • Step 3: Register Oracle Access Manager (OAM) in Hideez Enterprise Server (HES)
        • Step 4: Configure Directory Services and Web Infrastructure
        • Step 5: Configure Oracle Business Intelligence Enterprise Edition (OBIEE) for Single Sign-On (SSO)
    • Open ID Connect integration
      • Hideez Server as an External Authentication Method for Microsoft Entra ID via OIDC
      • OKTA (OIdC)
    • WS-Federation integration
      • Configure Exchange Outlook Web Application and Exchange Admin Center
  • Hideez Client App
    • Hideez Client deployment
      • Installation of the Hideez Client Application
      • Deploying Hideez Client MSI via GPO (Group Policy Object)
      • Configuration app
      • Uninstall Hideez Client app
      • Uninstalling via GPO
      • Upgrade Hideez Client
      • Downgrade Hideez Client
    • Application interface
      • General Settings
      • Logon settings
      • Aditional settings
      • Configuring hotkeys
    • Account management
      • Account creation
      • Editing an Existing Account
      • Deleting your account
    • Shortcuts
    • Remote Vault connection
    • Mobile Authenticator
  • Hideez Authenticator App
    • Quick overview
    • Admin guide
      • Setup for PC login scenario
        • Passwordless PC Login Setup
          • Configuring an Active Directory Certification Authority
          • Hideez Enterprise Server setup for passwordless login
          • Setting Up Passwordless Workstation Login with Entra ID
        • Password-based PC login Setup
      • Setup for SSO login scenario
    • User guide
      • Mobile App Primary Setup
      • App enrollment on Hideez Server
        • Enroll the application on Hideez Server for SSO
          • SSO enrollment (admin account)
          • SSO enrollment (user account)
        • PC Authorization Enrollment
          • Enrollment for Passwordless PC Authorization
            • Passwordless account re-enrollment
          • Enrollment for Password-based PC Authorization
            • Account roaming
      • Login with Hideez Authenticator
        • SSO login
        • PC login
          • Offline passwordless login
          • Login to the remote PC via RDP
      • PC lock
      • OTP generation
      • Software key disabling
        • PC logon disabling
        • SSO logon disabling
      • Service operations
  • Hideez Key (Enterprise Edition)
    • Hideez Key (Enterprise Edition)
    • Technical Specifications
      • Technical specifications Hideez Key 3
      • Technical specifications Hideez Key 4
    • Principles of operation
    • Device Layout
    • Battery maintenance
    • Hideez Key modes
    • How to update the Hideez Key (Enterprise) firmware
    • How to enter credentials with the Hideez Key
    • How to unlock PC
    • Key for Physical doors
  • Product Updates
    • Product updates
    • Hideez Enterprise Server updates
    • Hideez Key firmware updates
    • Hideez Client updates
    • Hideez Authenticator updates
  • API
    • Hideez Enterprise Server web API
  • FAQ
    • How-to's
      • How to add an Employee?
      • How to add personal user account on HES?
      • How to assign Hideez Key to a user?
      • How to activate Hideez Key?
      • How to unlock Hideez Key on HES?
      • How to unlock PC with Hideez Key?
      • How to setup proximity PC unlock?
      • How to use Hideez Key on remote PC?
      • How to enroll the Hideez Authentication app on HES for SSO?
      • How to login on HES with Hideez Authenticator?
      • How to enroll the Hideez Authentication app for PC login?
      • How to login to PC with Hideez Authenticator?
      • Enable QR Code Display for Hideez Authenticator on the Lock Screen of a Windows Remote Workstation
    • Hideez Client App
      • What do I do if I see the message "Connection failed. Trying to re-bond device"?
      • What do I do if the connection with the HES server cannot be established?
      • What should I do if the Password Manager menu item is not displayed?
    • Hideez Enterprise Server
      • How to view logs at Hideez Enterprise Server?
    • Setting Up Gmail with HES
    • Hideez Authenticator
      • QR code is not displayed at the credential provider on my PC
      • I have registered successfully but cannot login
      • What do I do if I changed domain and cannot login now
      • Does the Hideez App collect or transmit data from the phone to third parties or services?
    • Hideez Key
      • What physical conditions are dangerous for the Hideez Key?
      • Is the Hideez Key allowed on planes?
      • How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
  • Documentation portal
Powered by GitBook
On this page
  • 1. Initial Setup
  • 2. Configure AD FS and OWA
  • Step 1: Export AD FS Signing Certificate and Import to Exchange Server
  • Step 2: Create a relying party trust and custom claim rules in AD FS for OWA (Outlook on the web)
  • Step 3: Create Claim Rules in AD FS
  • Step 4 (Optional): Publish OWA via AD FS Web Application Proxy
  • Step 5 (Optional): Create Relying Party Trust for EAC
  • Step 6 (Optional): Publish EAC via AD FS Web Application Proxy
  • Step 7: Configure Exchange Organization to Use AD FS Authentication
  • Step 8: Enable AD FS Authentication on Virtual Directories
  • Step 9: Restart IIS on Exchange Server
  • 3. Configure AD FS in Service Provider (SP) Mode
  • Configure AD FS in SP Mode:
  • 4. SAML Configuration for AD FS on Hideez Server

Was this helpful?

  1. Hideez Server Integration
  2. SAML integration

Microsoft Exchange for Authentication via SAML

Hideez Enterprise Server – Integration of Hideez Server with Microsoft Exchange for Authentication via SAML

PreviousGoogle WorkspaceNextADFS Installation

Last updated 5 months ago

Was this helpful?

This guide provides step-by-step instructions for configuring ADFS (Active Directory Federation Services) as a Service Provider (SP) to enable authentication for OWA (Outlook Web App) and EAC (Exchange Admin Center). It outlines the process of using Hideez Server as an IdP for authentication in Microsoft Exchange via SAML.

1. Initial Setup

Prerequisites

Before proceeding, ensure the following components are already deployed and configured in your organization:

  1. Active Directory (AD) is installed and configured.

  2. Microsoft Exchange is operational and accessible.

  3. A Certificate Authority (CA) is set up and configured.

  4. Users can log in to Outlook Web App (OWA) via their browsers using Active Directory (AD) credentials.

  5. All steps are performed by a user with Domain Admins and Enterprise Admins roles.

  6. The ADFS server will be installed on a new, separate server within the Active Directory (AD) environment.

2. Configure AD FS and OWA

Step 1: Export AD FS Signing Certificate and Import to Exchange Server

The AD FS server uses a token-signing certificate for encrypted communication and authentication between the AD FS server, Active Directory domain controllers, and Exchange servers. This self-signed certificate is automatically copied over to the Web Application Proxy server during the installation but is required to be manually imported into the Trusted Root Certificate store on all of the Exchange servers in the organization.

  1. To export the certificate, log onto the AD FS server, launch the AD FS Management Console, navigate to AD FS -> Service -> Certificate

  1. Select the certificate listed under Token-signing, right click and select on View Certificate…:

  1. The general properties of the certificate will be displayed:

  1. Proceed and navigate to the Details tab and click on the Copy to File… button:

  1. Go through the Certificate Export Wizard to export the certificate:

  1. Select DER encoded X.509 (.CER) format and proceed with the export:

Step 2: Create a relying party trust and custom claim rules in AD FS for OWA (Outlook on the web)

With the AD FS prerequisites configured, proceed to create the relying party trust for OWA (Outlook on the web) on the AD FS server by launching the AD FS Management console:

Navigate to AD FS -> Relying Party Trusts and click on Add Relying Party Trusts…:

Select Claims aware and click on Start:

Change the default Import data about the relying party published online or on a local network to Enter data about the relying party manually:

Enter the Display name and Notes for Outlook on the web-relying party:

Outlook on the web

Leave the Configure Certificate window as unconfigured and click on Next:

Add the URL of the Outlook on the web address for the Relying party trust identifier:

Select Permit everyone:

On the Ready to Add Trust page, review the settings, and then click Next to save the relying party trust information:

Leave the Configure claims issuance policy for this application checked and click Close:

Step 3: Create Claim Rules in AD FS

  1. Define a Relying Party Trust in AD FS for Outlook on the Web (OWA).

  2. Create custom claim rules, such as the Pass-Through UPN Rule:

    • Claim Rule Name: Pass Through UPN

    • Incoming Claim Type: UPN

  1. In the Edit Claim Issuance Policy for Outlook on the web window, click on Add Rule…:

  1. Change the Pass Through or Filter an Incoming Claim and then click Next.

  1. Enter the following configuration for the parameters:

  • Claim Rule Name: Pass Through UPN

  • Incoming Claim Type: UPN

  1. Click Finish.

  2. Click OK to close the window

You should see the new Outlook on the web Relying Party Trust created:

Please note that Steps 4, 5, and 6 are optional and are intended for publishing Outlook to the internet. If this has already been configured in your environment, you can proceed directly to step 7.

Step 4 (Optional): Publish OWA via AD FS Web Application Proxy

  • Use the AD FS Web Application Proxy to securely expose OWA for external access.

Step 5 (Optional): Create Relying Party Trust for EAC

  • Repeat the steps for setting up a Relying Party Trust for the Exchange Admin Center (EAC).

Step 6 (Optional): Publish EAC via AD FS Web Application Proxy

  • Configure the Web Application Proxy for the Exchange Admin Center (EAC).

Step 7: Configure Exchange Organization to Use AD FS Authentication

There is no way to configure the Exchange organization to use AD FS authentication within the GUI so begin by launching the Exchange Management Shell from one of the Exchange servers.

The cmdlet to configure the Exchange organization to use AD FS for authentication is as follows:

Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "<Thumbprint>"
  • Example:

    Set-OrganizationConfig -AdfsIssuer https://adfs.lab.hideez.com/adfs/ls/ -AdfsAudienceUris "https://exch.lab.hideez.com/owa/","https://exch.lab.hideez.com/ecp/" -AdfsSignCertificateThumbprint "7D533C61B531D056A0058BB0E2DDE4904E86FB7F"

This example uses the following values:

  • AD FS URL: https://adfs.lab.hideez.com/adfs/ls/

  • Outlook on the web URL: https://exch.lab.hideez.com/owa/

  • EAC URL: https://exch.lab.hideez.com/ecp/ecp/

  • AD FS token-signing certificate thumbprint: The ADFS Signing - exch.lab.hideez.com certificate that has the thumbprint value 7D533C61B531D056A0058BB0E2DDE4904E86FB7F.

Step 8: Enable AD FS Authentication on Virtual Directories

For the Outlook on the web and EAC virtual directories, you need to configure AD FS authentication as the only available authentication method by disabling all other authentication methods.

  • You need to configure the EAC virtual directory before you configure the Outlook on the web virtual directory.

  • You'll likely want to configure AD FS authentication only on Internet-facing Exchange servers that clients use to connect to Outlook on the web and the EAC.

  • By default, only Basic and Forms authentication are enabled for the Outlook on the web and EAC virtual directories.

To use the Exchange Management Shell to configure an EAC or Outlook on the web virtual directory to only accept AD FS authentication, use the following syntax:

Set-OwaVirtualDirectory -Identity "OWA (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Step 9: Restart IIS on Exchange Server

Restart Internet Information Services (IIS) on the Exchange server to apply the configuration changes.

  1. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.

  2. In IIS Manager, select the server.

  3. In the Actions pane, click Restart.

Please refer to the official Microsoft documentation for instructions on how to restart IIS on an Exchange Server:

3. Configure AD FS in Service Provider (SP) Mode

AD FS operates as an Identity Provider (IdP) by default but can be configured to function as a Service Provider (SP) when integrating with third-party IdPs like Hideez Server.

Configure AD FS in SP Mode:

Add Hideez Server as IdP:

  • Open the AD FS Management Console.

  • Navigate to Claims Provider Trusts → Add Claims Provider Trust.

  • Upload the metadata XML file from the Hideez Server.

  • Assign a name to the Identity Provider (IdP), such as "Hideez IdP," then click Next, and finally, click Finish.

  • You will see newly created Claims Provider Trusts

Create Claim Rules for the Claims Provider Trust:

  • Select the created Claims Provider Trust and click Edit Claim Rules → Add Rule.

  • Choose Pass Through or Filter an Incoming Claim and click Next.

  • Enter the following configuration:

    • Claim Rule Name: Pass Through UPN

    • Incoming Claim Type: UPN

  • Click Finish to save the rule.

4. SAML Configuration for AD FS on Hideez Server

  1. Download metadata from AD FS:

  • Example of URL: https://adfs.lab.hideez.com/FederationMetadata/2007-06/FederationMetadata.xml

  1. Find in the FederationMetadata.xml the following information:

  • entityID

  • AssertionConsumerService

  1. Identify the required fields on the Hideez Server and save them:

  • Name: ADFS

  • Entity ID: http://<AssertionConsumerService>/adfs/services/trust

  • Assertion Consumer Service URL: https://<AssertionConsumerService>/adfs/ls/

  • Map the attributes: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

  • User Attribute: Email

Note: When configuring attributes in Hideez Server or Active Directory Federation Services (AD FS), the mapping values are constant. For your setup, they will remain the same as in the example provided.

Example of a Constant Value:

  • Mapping Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

  • User Attribute: Email

Example:

  • Name: ADFS

  • Issuer / SP Entity ID: http://adfs.lab.hideez.com/adfs/services/trust

  • Assertion Consumer Service: https://adfs.lab.hideez.com/adfs/ls/

  • Map the attributes: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

  • User Attribute: Email

Example Workflow:

  1. The user navigates to OWA: https://exch.lab.hideez.com/owa/.

  2. OWA redirects the user to AD FS for authentication.

  3. AD FS forwards the request to the third-party IdP (e.g., Hideez Server).

  4. The IdP validates the request and returns the SAML response to AD FS.

  5. AD FS processes the claims and forwards them to OWA, completing the authentication

Additional Resources:

This is a trust for

Check the Enable support for the WS-Federation Passive protocol checkbox and Enter the URL of the Outlook on the web address (e.g ):

.

https://exch.lab.hideez.com/owa/
https://exch.lab.hideez.com/owa/
Restart IIS on Exchange Server | Microsoft Learn
Microsoft Documentation on AD FS and OWA