Hi,

I have a question for auth workflow for MS office2016 product (especially OneNotes / Mail) on Windows10 while enabled On-Prem DSSO.

https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Desktop_SSO.htm

After I read the article above, I understand that I need to change the 'IWA Redirect URL' from [http] to [https] due to following reason.

(i.e. https://2012R2STD/IWA/)

***

Note: The latest builds of Office 2016 and Windows 10 are incorporating their Web Account Manager (WAM) for sign-in workflows (see this Microsoft article). WAM requires https — it blocks non-https traffic during auth workflows. Refer to Configure SSL for details about how to configure IWA for this use case.

***

But I need little more help to understand the reason.

Based on the WSSO workflow diagram in the article, the IWA Agent will issue a SSO token to the browser(user) after Kerberos auth complete between KDC(=AD) and IWA agent on IIS.

The browser will send the SSO token to Okta then Okta will complete the authenticaiton with SP with WS-Fed(SAML).

What I do not understnad is, why the IWA redirect URL needs to be changed HTTPS?

This article said, non-https traffic will be blocks during auth flow but when the IWA Web Agent will communicate with SP(Microsoft 365)?

I thought the authentication for the Office product will be managed between Okta and SP(Microsoft) after Okta received the SSO token from browser as I mentioned above.

Please advise me when the IWA will be communicate with SP (Microsoft)? I appriciate if you could teach me include the workflow for the auth workflow for Office product when we enable On-Prem DSSO.

Thank you.

Ichi