Has anyone configured their Outlook Web Access (OWA) to be authenticated by Okta? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Justin StanfordJustin Stanford 

Has anyone configured their Outlook Web Access (OWA) to be authenticated by Okta?

We are running Exchange 2013 on premise and are thinking about enabling WS-FED to allow Okta to authenticate our OWA.  The primary driver here is to allow the use of MFA / 2nd factor for external OWA access.  Hoping there are those out there that might have done this already.  I'm curious about your satisfaction with the solution, level of difficulty in implementing it and of course any steps you followed to implement it or notes you took along the way.

api-workday api-workdayapi-workday api-workday
Hey Justin,

Yes we are doing it here.

I have been meaing to throw together a post describing it for sometime now.

We have a multiple CAS array's and F5 load balancers in front of them that add different hurdles that we had to overcome.

In short, i would say it is high on the difficulty scale for the initial setup. That said once setup the solution works very well and is consistent with the MFA experience for any Okta integrated application.

I'll collect my notes and put something together.

Justin StanfordJustin Stanford
Thanks for your reply.  Great to hear that you are doing this and that you have a similar setup to us.  We too have multiple CAS servers and a load balancer thrown in for good measure.  Also pleased to hear you have some notes to share.

Subhomoy-Admin Chakraverty-AdminSubhomoy-Admin Chakraverty-Admin
Interested to know how it works too. I have a Exchange 2010 CAS front-ended by a pair of Citrix Netscalers. I have been toying with a SWA based authenticaiton on the Netscaler interface to allow a user to access Exchange OWA. Look forward to see your notes.. Thanks a lot.   Subho
Justin StanfordJustin Stanford

I'm the original poster above.  As a footnote to this story we decided to go with Duo Security as our second factor on OWA and in other situations.  We love and will continue to use Okta for SAML  but will use Duo as our second factor instead of Okta Verify for all two-factor needs within Okta due to a rich integration between the two offerings.  In addition, Duo offers a rich and well supported integration for OWA and Microsoft Remote Desktop Services/Farm, both of which we use, in addition to many other integrations Duo offers.

We found this to be preferable to implementing WS-FED and doing two-factor through Okta, and most likely paying Okta professional services to do it due to lack of documentation around OWA / WS-FED integration on Okta's part.  Okta PS seemed to be able to easily handle OWA but did not seem to be have much experience around the Microsoft RDS deployment that we wanted to have two-factor authenticated as well.  I would have loved to only deal with Okta on all of this, however Duo had a better story with the "on-prem" apps that we had to handle.

Joe PaisleyJoe Paisley
@MattEgan - I would be interested in discussing your configuration in more detail; we are looking to implement this funcationality also. You can contact me directly via email at joe.paisley@emerson.com

Graham RellingerGraham Rellinger
@Matt, we are looking forward to your post.
yamini pothireddyyamini pothireddy
@Matt, We are going to implement silimar use case as yours, if you can share the steps involved on this would be much appreciated. Thanks in advance
Help DeskHelp Desk
@Matt, Did you ever post your directions for enabling claims based auth on your exchange server?

Thank you
Clay RomeiserClay Romeiser
Here's some more info on this topic.   Our scenario has our OWA/Exchange servers completely behind the firewall, with F5 serving as the firewall/load balancer.   The Okta/F5 integration guide will only get you partway there.  It will help you configure a "SAML-authenticated reverse proxy" to get the user through the F5 and to the internal IIS server.  Once the user hits the IIS site, they'll get prompted for credentials because the F5 doesn't have the user's password (only the username).  In order to complete the puzzle, you need to set up Kerberos Constrained Delegation, which enables the F5 to use an AD account to authenticate on behalf of the user against IIS.   The setup steps for KCD are found on F5's website.  https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf  
I just spent an hour on the phone with Okta PS trying to set this up and we still don't have it working.  Unfortunately Okta doesn't have well-documented step-by-step instructions for exactly how to do it so we were still "guessing" on some of the F5 setup steps.  They are supposed to find a "working" configuration, document it, and get it to me next week.   Hoping this will then be posted for all to enjoy!
Wes LazaraWes Lazara
Very interested.  We currently use DUO just for administrators logging into OWA and a small group of users who have been given RDP access.  We would like to expand this to everyone and phase out DUO altogether if possible as it isn't cost effective for us to license everyone for DUO.
Wes LazaraWes Lazara
Hi Clay, any updates from OKTA?  Thanks!
Clay RomeiserClay Romeiser
Not sure if Okta has published anything - but we FINALLY got this working (after finding an incorrect SPN entry on our side).   In our case, there is a SAML authentication to F5, and then the F5 is doing Kerberos constrained delegation for authentication to OWA (10 servers load balanced).  I will ask the team to put together a public document that I can share.
Andrew SchulzAndrew Schulz
I'm a new client to Okta and I too am looking for a solution to authenticate my clients to OWA (on-prem) using SAML. I'm running Exchange 2016 and I've tried the built-in OWA apps provided by Okta. However, those act as bookmarks and based on our policies we require our users to change passwords every 90 days, and this presents an issue as users would then need to update the bookmark with the new password. With that and SSO option would be ideal. I am looking for some guidance on how to implement this as it seems like something that any Okta customer who has an Exchange environment would want to implement. 
Gerson AlvarezGerson Alvarez
@Matt: If you can post your notes it would be extremely appreciated.