Whiteboard video: How ADFS and the Microsoft Federation Gateway work together up in the Office 365 Cloud.


Another “whiteboard video” that gives a quick overview of the flows of data and comes in as a handy reference to my previous video which showed how to set it all up when you want to federate your Acitve Directory with Office 365.

This video shows the browser case. I’ll do another when you use an Outlook client to access Office 365.

Hope this helps if you ever find yourself down in the guts of fiddler trying to work out the data flows…

Planky – GBR-257

Comments (10)

  1. John Smith says:

    Thanks for the video, yes this was VERY helpful!  There is not a lot of information on ADFS pertaining to how it actually works.

    Again, thank you for taking the time to create this

    John

  2. Planky says:

    Thanks John – glad you found it helpful…

  3. Stephen says:

    Steve – Do you know if MFG/Office365 works with a non-ADFS/AD setup – ie. have Office 365 federate with a third-party identity provider?

  4. ...Planky says:

    Hi Stephen.

    It wouldn't be supported, but let's just think about the "theory" for a moment. They are powrshell scripts that set up the ADFS and Office 365 services. So a "trick" might be to set up ADFS with the same endpoint names, certificates etc that you'd use on your third party IP. Then use the powershell scripts to configure ADFS and create a federated domain in Office365.

    Next – de-install ADFS2. Install the third party IP with the same endpoint names, certs, config (which you could get from the FederationMetadata.xml doc that ADFS publishes)/

    I would think therefore that Office 365 wouldn't know it was no longer talking to ADFS. As long as the third party IP did WS-Federation the same way that ADFS does it. You'd have to look carfully at the configuration and the claims that are pushed out by the ADFS server and make sure you replicate the same configuration on your third-party IP box.

    There is no way this would be supported, but it might work. It'd be an interesting experiment. You could end up in the awkward situation where it works for 2 years then fails. You log a support call and they say "sorry, it's not a supported configuration".

    You could then install and configure ADFS and if it still failed, it would then be in a supported configuration and you'd get help. However, the awkward area for you is if you install ADFS and that fixes the problem. Then the only thing you can say is that the third-party IP doesn't work in that configuration. Maybe a service pack broke it or something along those lines. All of this scenario sounds like several days offline to me. Something that would be unacceptable for email in most companies…

    Good luck – if you try it, please let us know. I'd personally be very interested to see it…

  5. Great video – really helped me get a better understanding of authenticating with Office 365.  I tried to blog on the process and to be honest your video is much clearer.  Thanks for the great post. – paul

    blog.sharepointsite.co.uk/…/mapping-internal-users-ldap-to-cloud.html

  6. Ramu says:

    Hi,

        is office 365 exchange online outlook web access support third party multifactor authentication?

    thanks

    Ramu

  7. Punit Acharya says:

    Thanks for the great post. And yes thanks for describing the work flow under shady MFG/ADFC transcations.

  8. Exioo says:

    Where can we find a video with Outlook client ?

  9. Tony says:

    Great Video you mention " I’ll do another when you use an Outlook client to access Office 365".  Would you please?

  10. ...Planky says:

    Exioo (great name), Tony,

    THis post is actually a little bit out of date. There have been some changes and I should do an up-to-date version. Although the principles and the general idea of the flows is correct the specifics are different.

    It's going to be a few months but I will get to it and do an updated video in which I also cover the different client types…