locked
ADFS - Redirect user based on AD Attributes - Possible? RRS feed

  • Question

  • Hi all,

    I have an interesting challenge with one of my customers.

    Scenario:

    Email on Office 365 (mydomain.com) federated with onprem AD with ADFS.

    Requested Feature:

    When users login and authenticate to ADFS (when being redirected from O365) for ADFS to lookup AD attributes and if determined that the user's mailbox is actually onprem, to redirect the user to local Exchange OWA instead of O365.

    Customer is implementing F5 to provide this functionality.  But they already have an ADFS setup and was wondering if this was possible via ADFS itself.

    Thanks

    Monday, April 3, 2017 2:07 AM

Answers

All replies

  • No - for security reasons ADFS will only redirect to the configured endpoint.

    Monday, April 3, 2017 6:27 PM
  • Thanks.

    What if Outlook Web Access was a configured endpoint as well?

    It still won't work? 

    How about this:

    ADFS has two Service Providers (O365 OWA & Exchange Onprem OWA)

    Can ADFS be configured, so that Users <g class="gr_ gr_138 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="138" id="138">signin</g> directly to ADFS, ADFS checks AD to identify where the user's mailbox <g class="gr_ gr_270 gr-alert gr_gramm gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="270" id="270">resides,</g> and serves the right SP based on AD attributes?

    This customer can't be the only one with this ask.

    Monday, April 3, 2017 9:54 PM
  • You can only use claims rules to get AD attributes and allow / deny access.

    There is no way to redirect.

    Tuesday, April 4, 2017 2:30 AM
  • Maybe there are some Exchange specific workaround when you have an hybrid environment. You might want to check with the Exchange forums.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 4, 2017 7:10 PM