Microsoft Exchange for Authentication via SAML
Hideez Enterprise Server – Integration of Hideez Server with Microsoft Exchange for Authentication via SAML
Last updated
Hideez Enterprise Server – Integration of Hideez Server with Microsoft Exchange for Authentication via SAML
Last updated
This guide provides step-by-step instructions for configuring ADFS (Active Directory Federation Services) as a Service Provider (SP) to enable authentication for OWA (Outlook Web App) and EAC (Exchange Admin Center). It outlines the process of using Hideez Server as an IdP for authentication in Microsoft Exchange via SAML.
Prepare your Active Directory Federation Services (AD FS) environment and ensure connectivity to the Microsoft Exchange servers.
Validate prerequisites for claims-based authentication.
The AD FS server uses a token-signing certificate for encrypted communication and authentication between the AD FS server, Active Directory domain controllers, and Exchange servers. This self-signed certificate is automatically copied over to the Web Application Proxy server during the installation but is required to be manually imported into the Trusted Root Certificate store on all of the Exchange servers in the organization.
To export the certificate, log onto the AD FS server, launch the AD FS Management Console, navigate to AD FS -> Service -> Certificate
Select the certificate listed under Token-signing, right click and select on View Certificate…:
The general properties of the certificate will be displayed:
Proceed and navigate to the Details tab and click on the Copy to File… button:
Go through the Certificate Export Wizard to export the certificate:
Select DER encoded X.509 (.CER) format and proceed with the export:
With the AD FS prerequisites configured, proceed to create the relying party trust for OWA (Outlook on the web) on the AD FS server by launching the AD FS Management console:
Navigate to AD FS -> Relying Party Trusts and click on Add Relying Party Trusts…:
Select Claims aware and click on Start:
Change the default Import data about the relying party published online or on a local network to Enter data about the relying party manually:
Define a Relying Party Trust in AD FS for Outlook on the Web (OWA).
Create custom claim rules, such as the Pass Through UPN Rule:
Claim Rule Name: Pass Through UPN
Incoming Claim Type: UPN
Add claim rules in AD FS for the OWA relying party trust based on the example configurations.
Use the AD FS Web Application Proxy to securely expose OWA for external access.
Repeat the steps for setting up a Relying Party Trust for the Exchange Admin Center (EAC).
Configure the Web Application Proxy for the Exchange Admin Center (EAC).
Use the following PowerShell command:
Configure AD FS authentication for the OWA and EAC virtual directories using commands like:
Restart Internet Information Services (IIS) on the Exchange server to apply the configuration changes.
AD FS operates as an Identity Provider (IdP) by default but can be configured to function as a Service Provider (SP) when integrating with third-party IdPs like Hideez Server.
Open the AD FS Management Console.
Navigate to Claims Provider Trusts → Add Claims Provider Trust.
Upload the metadata XML file from the third-party IdP (e.g., Hideez Server).
Assign a name to the IdP (e.g., Hideez IdP).
Add a Pass Through UPN Rule:
Claim Rule Name: Pass Through UPN
Incoming Claim Type: UPN
Download metadata from AD FS:
URL: https://adfs.lab.hideez.com/FederationMetadata/2007-06/FederationMetadata.xml
Identify the required fields:
Entity ID: http://adfs.lab.hideez.com/adfs/services/trust
Assertion Consumer Service URL: https://adfs.lab.hideez.com/adfs/ls/
Configure the Hideez Server:
Name: ADFS OWA
Issuer/Entity ID: AD FS Entity ID
ACS URL: AD FS Assertion Consumer Service
Map the attributes:
Map http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn to Email.
The user navigates to OWA: https://exch.lab.hideez.com/owa/.
OWA redirects the user to AD FS for authentication.
AD FS forwards the request to the third-party IdP (e.g., Hideez Server).
The IdP validates the request and returns the SAML response to AD FS.
AD FS processes the claims and forwards them to OWA, completing the authentication.
Configuring CyberArk Identity SSO Provider for OWA.
