locked
No Single Sign on application for Office 365? RRS feed

  • Question

  • Hi,

    As a small business currently quite happy using BPOS, I have heard that Office 365 will not have a Single Sign On application? If this is true, then what do we do to stop the death by authentication request issue? (If your only answer is 2 high-end servers, dirsynch tool and ADFS - then what about the SMEs? We went to the cloud to simplify our infrastructure and to keep our technical support costs down).

    Thanks,

    Elaine


    Elaine Burrows
    Tuesday, March 29, 2011 12:07 PM

Answers

  • Angelo,

    For those not using AD FS users will simply be prompted for credentials every time they open Outlook if they do not use the Sign-In assistant. The Sign-In assistant can be configured for users by logging into portal.microsoftonline.com then going to the downloads section and scrolling to the bottom. There is a java applet that runs by clicking 'Set up'. This will install and configure he sign-in assistant which is the replacement for the Sign-In tool for BPOS. the tool is very different though and after it is run the first time it simply runs in the background as a service.

    So the short answer is you don't need to worry about using AD FS, it is just an option. For small organizations just continue to use O365 password authentication and have all your users configure the sign-in assistant the first time they run O365.



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    • Marked as answer by Burrowsel Tuesday, June 21, 2011 4:19 PM
    Saturday, June 11, 2011 11:57 AM

All replies

  • I second this question.  I read through the ADFS setup requipments for office 365 and it's looking very messy for 1 person IT shops.  Setting up an ADFS server and a backup and an ADFS proxy to handle clients that are not connected to the internal network.  Yikes!  We are a small global company and getting all of this to work effectively across different geographies is going to be difficult to setup and maintain. 

    Tuesday, March 29, 2011 3:04 PM
  • Hi Elaine. The single sign on application does go away in Office 365. If you choose not to use federated identity (ADFS) then you will use the managed identity by default.

    Managed identity works in much the same way as a Windows Live ID, at least from a SharePoint Online perspective. When accessing SharePoint Online through the browser you are prompted for your credentials. Once logged in your authentication cookie is cached so you can continue to access SharePoint Online and your Office documents without having to enter your credentials again.


    Myles Jeffery | Office365 MVP | Thinkscape | SharePoint Online File Migration Tool
    Tuesday, March 29, 2011 8:12 PM
  • Hi Myles,

    How does this work with Exchange Online and Lync then? Thank you.

    Tuesday, March 29, 2011 8:14 PM
  • Myles,

    Thanks for the reply. It has reduced the blood pressure somewhat, however, I am interested to hear the response to carfan80301's question? If sharepoint is catered for, is there any issues using Exchange - Outlook, OWA, Mobile and/or Lync.

    We also have an internal LAN which we use to host our business applications, file shares and backup servers - Is this where the issues would arise around authentication?

    Thanks,

    Elaine


    Elaine Burrows
    Wednesday, March 30, 2011 8:15 AM
  • For Elaine and carfan,

    If you end up not using ADFS or Federated ID's when you do the initial setup of your Exchange account you will be prompted for your O365 credentials, from that point forward it will be configured on your exchange profile. Same goes with Lync, your initial configuration will require credentials that can be saved in the Lync client.

    The whole purpose for a company to implement ADFS/Federated ID's would be so they can manage all passwords through their local AD without having to manage a second set of passwords for the Office 365 system. As anyone who uses BPOS knows right now it can become a pain for users to have to remember two passwords.

    So in a situation where you don't use Federated ID's 'Jane User' would log into her PC at the office, then when she goes to SharePoint she would get prompted for credentials, she would then enter her Office 365 credentials and be able to browse the site. If she then closed SharePoint and opened it again she would be re-prompted for her Office 365 credentials.

    In a Federated world 'Jane User' logs in locally to her PC then opens up SharePoint and doesn't get prompted for a password. On the back end her client goes up to the Federated Gateway (on the Microsoft side of the fence) and gets a request for an authentication token. The request then comes into the local ADFS server, that queries Active Directory, if successfull it issues a token, that token is taken back to the Gateway and a validated authentication token is given to the user. This of course all happens in seconds so all the user sees is a seamless integration of Cloud and local credentials.

    Also note that there is NO password sync when using ADFS/Federation with Office 365. All passwords stay in AD, the process of authentication between local AD and Office 365 is all done through authentication tokens that are all very secure. This is a key advantage and all administrators should take note, because I know many non-IT managers and decision makers are going to be very concerened when the topic comes up. It is important to know NO passwords leave your local AD.

    Hope this helps clear things up, if not let me know and I'll try to add more info.



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Friday, April 1, 2011 6:10 PM
  • Thanks Jorge.  i have a follow up question.  How do password expiration notifications work?  Does SP 2010 notify you through the browser or email somehow?  How do Exchange and Lync notify that a password needs to be changed if there's no password tool?  Thank you.
    Monday, April 4, 2011 5:32 PM
  • Well, if you end up using AD FS 2.0 with Federated ID then you don't need to worry about notifications via email, your desktop will notify you when you log in as it does now. If you decide not to federate I believe there is still a pop-up from the online services tool notifying you that your password is about to expire. I haven't seen the final product but I am assuming when you get the popup it will have a link to change your password through the portal, at that point I believe the tool will auto populate your programs (lync, etc) with the new password. However, if that ends up not being the way it works you'll probably just have to enter your new password when you open outlook/lync for the first time after changing it to give the program your new password.

    Thanks,

     



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Monday, April 4, 2011 5:48 PM
  • Thanks for the info, however, what happens when you open a document from sharepoint in an Office Application, will it ask for your credentials again? Previous experience when opening documents in Sharepoint being prompted to enter credentials even though we were already signed into the Sharepoint site. This is unworkable when dealing with lots of documents over the course of a working day.

    BPOS and the single-sign on tool was the solution recommended to us to avoid this issue!

    Thanks,

    Elaine


    Elaine Burrows
    Friday, April 8, 2011 12:19 PM
  • There will be no prompt...once you have opened SharePoint you will be authenticated for the entirety of your session so changing pages, downloading/uploading documents will not re-prompt.



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Friday, April 8, 2011 5:20 PM
  • Another related question. Can you have mix of different user accounts (some from AD and some Office 365 only accounts) if you do federation? Most of our users are AD connected, but a few are not. I'm wondering if this will be an issue.

    Also, let's say you are a small company and all of your users travel with laptops and don't use VPN to access the network that’s running AD. In this case I'm guessing I need an ADFS Proxy server to sit in a perimeter network. What happens if this proxy server fails for some reason? Will traveling users have any other method of access office 365 if the proxy is not available? In this case would the simply be prompted for credentials by Office 365? I'm trying to gauge how fragile the ADFS setup would be. I don't see many small businesses rolling out redundant ADFS internal servers and redundant ADFS proxy servers. That's a lot of hardware and licensing and overhead and networking.

    Sunday, May 1, 2011 1:38 AM
  • You can have a mix of Federated and O365 only accounts. By default all of your AD accounts will be put in the cloud, but you can also manually create accounts in the cloud that are not federated.

    If your ADFS proxy fails but your internal AD FS servers continue to function your remote users should still be able to function. They will get prompted for credentials to log into their various O365 applications. If your entire AD FS farm (proxy and internal) goes offline you essentially get locked out of O365 because it can't validate passwords.



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Sunday, May 1, 2011 1:22 PM
  • Jorge, thanks for your efforts to answer questions about this change.  Unfortunately, the whole Office 365 looks like another "developed in a vacuum Microsoft idea".  My clients are small businesses.  The whole reason for using Exchange Online was to not have to have extensive onsite IT support and a system that was easily accessed from anywhere.  The single signon also helped a lot.

    Now, we have a new system that to me looks like a giant step into the incomprehensible.  I have stopped recommending Microsoft Online services, because I have no confidence that my clients will remain happy with what I recommend.  It doesn't matter that Microsoft, not me, did this to them.  As far as they are concerned, it was my recommendation and anything that happens is my fault.  This change is going to cost me so much unbillable time that it will probably be easier to just lose those clients!

    This reminds me a little of the way Office/Windows Live worked so well, then was improved to death, sending user scurrying to alternatives.  Granted, that was a free service and so used at your own risk.  I cannot help but wonder if Microsoft has ever talked with actual users before designing new programs and services.  Just about everything--and I'm not exaggerating--from Microsoft in recent years has been bad for small business people, who want to run their business, not constantly have to learn new computer programs.  I'd have thought someone at MS would have asked why business clung to Windows XP for so long.  I have clients that have objected so strongly to the Office 2007/2010 interface that I have pointed them to OpenOffice with its more Office 2003-like look and feel.  Indeed, I have one client with 20 computers that has gone totally OpenOffice, with Firefox browser and Google mail and calendars.

    OK.  That's the end of my rant here, but I hope you, Jorge, can pass along that one MS Partner has had it.  I will not again recommend Microsoft online services of any kind.  It is too much trouble for my clients, and too expensive for me.

    Friday, May 6, 2011 1:18 PM
  • Interesting perspective on the issue. I am sorry to hear you won't be recommending O365 to your clients. To tell you the truth I shared your opinion for many years when I worked in the SMB market, but over time I realized more than anything it was a lack of awareness on my part. Not to say that is the case with you, I am just speaking from my personal experience. In the SMB market I was so involved in keeping the operation going and watching client budgets that I never had the time to do some intensive research on new and emerging topics. Honestly O365 has more technical documentation through the partner channels than most products I have seen out there. With the proper amount of internal testing I am confident you would feel much more comfortable with the product and recommending it. I'd recommend you sign up for the Beta which is now pubilc, set up a test lab and really run through the whole process a few times to see how it all works, that really is what gave me the confidence to deploy this to my production client base.

    As for client perceptions about product changes, that is never going to change...people like what they are used to even if the new technology is far superior. That is our job as technical consultants to find the advantages and present it to our clients in a way that makes them understand the benefits. Trust me, I work in the State and Local Gov't sector, getting most of my clients to 'like' Office 2010 is difficult at best, but with the right presentation of the features it can happen. If we couldn't convince our clients they would still be running on Windows NT and 98, rite?



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Friday, May 6, 2011 1:47 PM
  • Hi Jorge,

    I am new to the Office365/BPOS, and i am trying to understand the Federated Identity SSO options that Office 365 offers.

    By reading what you described how 'Jane User' logs onto local PC then opens up SharePoint in Office365, it looks like a typical Federated SSO; since ADFS is used on both identity provider side and service provider side, i am assuming WS-Federation Passive profile is used here. Correct? If this is the case, say the identity provider (Office365 consumer) uses other Identity Federation solution, such as IBM TFIM or PingFederation, Would Office365 ADFS be able to work with these products if the same the Federation Protocol is used and token format complies with what ADFS is expecting?

    Thanks!

    Wednesday, May 11, 2011 2:01 PM
  • As far as I know Office 365 only provides federation by using on-premise Microsoft AD FS 2.0. That doesn't mean other federated products like the ones you mention can't work, but they aren't supported and I would doubt there is much in the way of access to the 0365 federation servers that would allow you to customize configuration.

    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Wednesday, May 11, 2011 2:06 PM
  • Thanks so much for your reply Jorge!

    You are right, Office365 doesn't seem to expose the required information for working with another Identity Federation product. For example, WS-Federation Endpoint URI, Assertion format and attributes, key exchange methods etc.; I thought the Microsoft Online Services Identity Federation Management tool would have some sort of details that I can use when setting up the Identity Federation Configuration on the Identity Provider side using another product, however, I couldn't find anything. Any ideas on how to find these information so i can setup a test from the other federation product?

    Thank you!

    Thursday, May 12, 2011 5:32 PM
  • Hi Jorge,

    I am interested in knowing the options left to small companies using Exchange Online when Office 365 is released. Can you clearly explain the alternatives to Federated Services for Exchange Online? If the Microsoft Online Services Sign-In application is discontinued, what will replace it for small companies such as us who are not equipped for ADFS? We too gave up Exchange Server management to Microsoft in order to save on IT costs. Now, we are required to purchase servers and extra server licenses for authenticating to Microsoft's cloud services. I find this counter-intuitive. In fact, our infrastructure is so small that we have no room to place redundanct ADFS servers, ADFS proxy servers and network load balancers. It is literally a closet!

     

    Regards,

    Angelo Di Rocco

    Tuesday, May 31, 2011 4:13 PM
  • Angelo,

    For those not using AD FS users will simply be prompted for credentials every time they open Outlook if they do not use the Sign-In assistant. The Sign-In assistant can be configured for users by logging into portal.microsoftonline.com then going to the downloads section and scrolling to the bottom. There is a java applet that runs by clicking 'Set up'. This will install and configure he sign-in assistant which is the replacement for the Sign-In tool for BPOS. the tool is very different though and after it is run the first time it simply runs in the background as a service.

    So the short answer is you don't need to worry about using AD FS, it is just an option. For small organizations just continue to use O365 password authentication and have all your users configure the sign-in assistant the first time they run O365.



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    • Marked as answer by Burrowsel Tuesday, June 21, 2011 4:19 PM
    Saturday, June 11, 2011 11:57 AM
  • So how does it look to the end user?

     

    They open outlook an are prompted for a password? At what point is that password configured? Does the signon assistant have the ability to use their domain login credentials or is it a totally different password?

     

    Cheers

    Naz


    NaZz
    Monday, August 1, 2011 6:15 AM
  • Jorge, you seem to be very knowledgeable.  We have ADFS configured by a MS partner.  We are migrating this weekend.  We have added our ADFS to our Intranet zone.  However, when a user laucnhes Outlook the still get a Windows authentication box with the standard check box for "Remeber Credentials".  I thought SSO meant SSO.  I shoudl not have to re-enter credentials again.  My MS Partner is not helping.  They are not sure why or if this should be happening.  To them it seems to be no big deal, but we were looking for SSO.

     

    Any explanation or help woudl be greatly appreciated.

    John

    Saturday, August 27, 2011 1:13 AM
  • This is not true. In fact O365 has a SSO besides many other features & a very rich user experience.

    You can be reassured with the Cloud

     

    Thanks

    Saturday, August 27, 2011 9:12 AM
  • Hey John,

    During the early adopter program the initial time the user logged into Outlook they had to enter their credentials and check the box. I asked a few architects at Microsoft I work with and they said the production environment should not do this, but from what I am hearing from many people it still is. I'll reach out to my team and see if they are making any headway to have Outlook behave as the other applications do with True SSO. Check this thread out and I'll update the post when I hear something back:

    http://community.office365.com/en-us/f/178/t/6721.aspx

    Thanks,

     



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Friday, September 2, 2011 12:21 AM
  • Wow, ask and you shall receive. So this feature is something that is slated for SR1 and will require some modifications to AD FS but there are no firm details at this point. So for now it is 'check the box'.

    Thanks,

     



    Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS


    Senior Microsoft Consultant

    Planet Technologies, Inc.

    Check out My Blog!

    Friday, September 2, 2011 12:46 AM
  • Hi Jorge,

    Could I ask whether you can configure other federated clients (for FSSO to Office365) using the same identity assertion protocols as AD FS 2.0? We are using TFIM to generate our identity assertion tokens and are wondering if this will work or whether we need a dual solution that also includes an AD FS identity provider/asserter.

    Cheers,

    Craig Chatfield


    • Edited by DrCraig Tuesday, November 1, 2011 2:27 AM
    Tuesday, November 1, 2011 2:24 AM
  • Hi Jorge,

    We are trying to figure out how to create a real redundancy for ADFS/proxy. Since ADFS doesn`t keep any AD credentials cache it`s still a single point of failure (never mind NLB, I`m talking about Internet connection)

    The whole idea of O365 was to elevate redundancy level of our Exchange, now we just added 2 more servers in the chain.

    Any ideas how to create a Geo location  cluster or other solution that will do?

    thank you,

    Arie

    Sunday, March 11, 2012 7:13 AM
  • Arie, please create a new post.  This is an old thread and your question is not relevant to this post.

    www.insecurityinc.info

    Monday, March 12, 2012 10:31 PM
  • Jorge,

    Can you check this statement of yours?

    "All passwords stay in AD, the process of authentication between local AD and Office 365 is all done through authentication tokens that are all very secure. "

    As per my knowledge, in case of "Outlook" we do send username/password to exchange online (basic auth). I maybe wrong but that's what I know how it works in case of outlook. Browser/Lync scenarios work as per your statement but not outlook.

    Sunday, May 13, 2012 11:12 PM