<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UwpSAFOkta Classic EngineSingle Sign-OnAnswered2024-11-01T09:00:50.000Z2016-02-02T16:00:00.000Z2021-02-04T21:08:48.000Z

oqui0 (oqui0) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Has anyone configured their Outlook Web Access (OWA) to be authenticated by Okta?
We are running Exchange 2013 on premise and are thinking about enabling WS-FED to allow Okta to authenticate our OWA.  The primary driver here is to allow the use of MFA / 2nd factor for external OWA access.  Hoping there are those out there that might have done this already.  I'm curious about your satisfaction with the solution, level of difficulty in implementing it and of course any steps you followed to implement it or notes you took along the way.

 

Thanks!
  • 17 answers
  • 11.59K views
BhaskarM.18336 and icwd6 like this.

  • svcV.75126 (Customer)

    Hey Justin,

     

    Yes we are doing it here.

     

    I have been meaing to throw together a post describing it for sometime now.

     

    We have a multiple CAS array's and F5 load balancers in front of them that add different hurdles that we had to overcome.

     

    In short, i would say it is high on the difficulty scale for the initial setup. That said once setup the solution works very well and is consistent with the MFA experience for any Okta integrated application.

     

    I'll collect my notes and put something together.

     

    -Matt
    Expand Post

    • ulazx (ulazx)

      Hi! Do you by any chance have a write up how you did the integration? We are trying to get /ecp and /aws integrated

  • oqui0 (oqui0)

    Matt-

    Thanks for your reply.  Great to hear that you are doing this and that you have a similar setup to us.  We too have multiple CAS servers and a load balancer thrown in for good measure.  Also pleased to hear you have some notes to share.

     

    Thanks!

    Justin
    Expand Post

  • f1k5u (f1k5u)

    Interested to know how it works too. I have a Exchange 2010 CAS front-ended by a pair of Citrix Netscalers. I have been toying with a SWA based authenticaiton on the Netscaler interface to allow a user to access Exchange OWA. Look forward to see your notes.. Thanks a lot.   Subho

  • oqui0 (oqui0)

    I'm the original poster above.  As a footnote to this story we decided to go with Duo Security as our second factor on OWA and in other situations.  We love and will continue to use Okta for SAML  but will use Duo as our second factor instead of Okta Verify for all two-factor needs within Okta due to a rich integration between the two offerings.  In addition, Duo offers a rich and well supported integration for OWA and Microsoft Remote Desktop Services/Farm, both of which we use, in addition to many other integrations Duo offers.

     

    We found this to be preferable to implementing WS-FED and doing two-factor through Okta, and most likely paying Okta professional services to do it due to lack of documentation around OWA / WS-FED integration on Okta's part.  Okta PS seemed to be able to easily handle OWA but did not seem to be have much experience around the Microsoft RDS deployment that we wanted to have two-factor authenticated as well.  I would have loved to only deal with Okta on all of this, however Duo had a better story with the "on-prem" apps that we had to handle.

    Expand Post

  • y7c53 (y7c53)

    @MattEgan - I would be interested in discussing your configuration in more detail; we are looking to implement this funcationality also. You can contact me directly via email at joe.paisley@emerson.com

     

     

  • CGR Read WriteS.86478 (Customer)

    @Matt, We are going to implement silimar use case as yours, if you can share the steps involved on this would be much appreciated. Thanks in advance

  • 00u2u0wsccGXXTTKHUM1.4207600306517505E12 (Customer)

    @Matt, Did you ever post your directions for enabling claims based auth on your exchange server?

     

    Thank you

  • hv0kl (hv0kl)

    Here's some more info on this topic.   Our scenario has our OWA/Exchange servers completely behind the firewall, with F5 serving as the firewall/load balancer.   The Okta/F5 integration guide will only get you partway there.  It will help you configure a "SAML-authenticated reverse proxy" to get the user through the F5 and to the internal IIS server.  Once the user hits the IIS site, they'll get prompted for credentials because the F5 doesn't have the user's password (only the username).  In order to complete the puzzle, you need to set up Kerberos Constrained Delegation, which enables the F5 to use an AD account to authenticate on behalf of the user against IIS.   The setup steps for KCD are found on F5's website.  https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf  

    I just spent an hour on the phone with Okta PS trying to set this up and we still don't have it working.  Unfortunately Okta doesn't have well-documented step-by-step instructions for exactly how to do it so we were still "guessing" on some of the F5 setup steps.  They are supposed to find a "working" configuration, document it, and get it to me next week.   Hoping this will then be posted for all to enjoy!
    Expand Post
10 of 17
This question is closed.
Loading
Has anyone configured their Outlook Web Access (OWA) to be authenticated by Okta?