Ryfujk

Im going to France and my passport expires June 19th

What do you call someone who asks many questions?

Arrow those variables!

What does “the session was packed” mean in this context?

Can a virus destroy the BIOS of a modern computer?

Personal Teleportation: From Rags to Riches

What exploit Are these user agents trying to use?

How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?

Is it acceptable for a professor to tell male students to not think that they are smarter than female students?

How writing a dominant 7 sus4 chord in RNA ( Vsus7 chord in the 1st inversion)

Alternative to sending password over mail?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Solving a recurrence relation (poker chips)

Reverse dictionary where values are lists

Are there any examples of a variable being normally distributed that is *not* due to the Central Limit Theorem?

Detention in 1997

Is it logically or scientifically possible to artificially send energy to the body?

What about the virus in 12 Monkeys?

One verb to replace 'be a member of' a club

How dangerous is XSS?

How do I handle a potential work/personal life conflict as the manager of one of my friends?

Could the museum Saturn V's be refitted for one more flight?

Avoiding the "not like other girls" trope?

What is a romance in Latin?

Using Windows 2012 R2 Web Application Proxy's SSO for another ADFS farm

Can I use a single ADFS server for both office 365 and SharePoint SSOUsing O365, ADFS, not using DirSync/FIM, what value should immutableId be for ADFS to assert right?ADFS allows to login only to Office 365Is it possible for one Office365 tenant to have multiple IdP's?Exchange 2010 migration to Office 365 with ADFSHow to move ADFS to new servers?Is my Office 365 ADFS SSO working properly?AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 deviceServer 2016 - ADF/Webapplication Proxy - Pass Basic Authentication without Realm to Backend serverADFS 2012 R2 - Office 365 Modern Auth - Outlook able to connect outside network

1

I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take advantage of the SSO facility. This works nicely.

One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our user. Using this means that external users are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our connection die. However, it also means that when the user clicks on the link to Office 365 they are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.

I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing this right but I'm unsure of where to go from here. Can anyone give me some advice?

Many thanks,

Ian

microsoft-office-365 adfs web-application-proxy

share|improve this question

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

bumped to the homepage by Community♦ 4 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I don't think this will work. If you have an externally hosted AD FS that handles the auth itself, I assume it has no CP trust to accept claims and transform them before sending them to O365.
  
  – maweeras
  Aug 22 '14 at 10:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  you also add a dependency to your own ADFS implementation (which you wanted to avoid in the first place) - so either point O365 to your ADFS, or scratch that idea :) (sorry...)
  
  – MichelZ
  Aug 22 '14 at 11:54
  

  
  
  
  

add a comment | 

1

I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take advantage of the SSO facility. This works nicely.

One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our user. Using this means that external users are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our connection die. However, it also means that when the user clicks on the link to Office 365 they are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.

I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing this right but I'm unsure of where to go from here. Can anyone give me some advice?

Many thanks,

Ian

microsoft-office-365 adfs web-application-proxy

share|improve this question

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

bumped to the homepage by Community♦ 4 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I don't think this will work. If you have an externally hosted AD FS that handles the auth itself, I assume it has no CP trust to accept claims and transform them before sending them to O365.
  
  – maweeras
  Aug 22 '14 at 10:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  you also add a dependency to your own ADFS implementation (which you wanted to avoid in the first place) - so either point O365 to your ADFS, or scratch that idea :) (sorry...)
  
  – MichelZ
  Aug 22 '14 at 11:54
  

  
  
  
  

add a comment | 

I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take advantage of the SSO facility. This works nicely.

One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our user. Using this means that external users are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our connection die. However, it also means that when the user clicks on the link to Office 365 they are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.

I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing this right but I'm unsure of where to go from here. Can anyone give me some advice?

Many thanks,

Ian

microsoft-office-365 adfs web-application-proxy

share|improve this question

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

share|improve this question

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

share|improve this question

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

edited Nov 12 '16 at 18:17

BastianW

2,66841433

edited Nov 12 '16 at 18:17

BastianW

2,66841433

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

asked Aug 21 '14 at 12:23

NorphusNorphus

73210

1 Answer
1

active

oldest

votes

0

Web Application Proxy does not collect external user credentials - user authentication is solely done by ADFS, which is the only authentication provider for WAP. And as @MichelZ noted, you are inserting here a dependency to your on-prem directory :-).

I think the only way to have SSO anytime independently of your interned connection being active is changing all of your on-prem applications to trust the cloud as the identity provider. Otherwise you still have more than one identity provider, which basically removes the possiblity of SSO.

share|improve this answer

answered Sep 27 '14 at 17:31

vainolovainolo

1507

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f623037%2fusing-windows-2012-r2-web-application-proxys-sso-for-another-adfs-farm%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Web Application Proxy does not collect external user credentials - user authentication is solely done by ADFS, which is the only authentication provider for WAP. And as @MichelZ noted, you are inserting here a dependency to your on-prem directory :-).

I think the only way to have SSO anytime independently of your interned connection being active is changing all of your on-prem applications to trust the cloud as the identity provider. Otherwise you still have more than one identity provider, which basically removes the possiblity of SSO.

share|improve this answer

answered Sep 27 '14 at 17:31

vainolovainolo

1507

add a comment | 

0

Web Application Proxy does not collect external user credentials - user authentication is solely done by ADFS, which is the only authentication provider for WAP. And as @MichelZ noted, you are inserting here a dependency to your on-prem directory :-).

I think the only way to have SSO anytime independently of your interned connection being active is changing all of your on-prem applications to trust the cloud as the identity provider. Otherwise you still have more than one identity provider, which basically removes the possiblity of SSO.

share|improve this answer

answered Sep 27 '14 at 17:31

vainolovainolo

1507

add a comment | 

Web Application Proxy does not collect external user credentials - user authentication is solely done by ADFS, which is the only authentication provider for WAP. And as @MichelZ noted, you are inserting here a dependency to your on-prem directory :-).

I think the only way to have SSO anytime independently of your interned connection being active is changing all of your on-prem applications to trust the cloud as the identity provider. Otherwise you still have more than one identity provider, which basically removes the possiblity of SSO.

share|improve this answer

answered Sep 27 '14 at 17:31

vainolovainolo

1507

share|improve this answer

answered Sep 27 '14 at 17:31

vainolovainolo

1507

answered Sep 27 '14 at 17:31

vainolovainolo

1507

answered Sep 27 '14 at 17:31

vainolovainolo

1507