Hi all, just after some advise on the correct way to setup accessing office365 apps (Outlook etc) via web app link (resource profile) within Pulse with SSO (Azure AD) if possible. Anyone done this before? thanks
@NetworkBod I believe we cannot do SSO for Office365 using form post method, as O365 has dynamic form contents which VPN cannot create on-the-fly. I remember using a trick which is configure SAML SSO policy in the VPN server, and enable persistent cookie under user role. So that would do is when the user logs into Outlook for the very first time, they'd be redirected to Azure for auth. and since everything happens within the VPN's rewrite scope, persistent cookie will enable the VPN server to remember those Azure auth cookies and save it as part of the user record.
Hence, from the second time onwards, users will not be prompted for authentication as the VPN server will re-use the session cookie while connecting to Azure like the browsers do.
Since you asked for possible methods, there's another one but it cannot be done with O365 + Azure suite, which is SAML Chaining i.e., you can the VPN server to act as IdP for the resource i.e. Outlook, however, we would be POSTing the data to Azure (which is another IdP - Azure, in this instance, acting as SP for the VPN and the real IdP for the Outlook) and then proxy/rewrite the SAML response sent by VPN to Outlook by giving a feel that it actually came from Azure itself (so that Outlook can trust the response) and permit access based on the rules we setup.
I remember this cannot be done with O365 as Azure will not support the SAML chaining feature, however, feel to check with MSFT.
Many thanks for your response, I'll certainly look into the SAML method. At the moment I'm struggling to get the office365 landing page to display. I created a web resource profile heading to the office365 login page which displays fine but upon login just a blank white page appears. Does the resource profile for this require any special settings such as compression or anything else? There's no errors in the logs and the web requests look fine but it's struggling to display the page for some reason. Many thanks.
@NetworkBod Do you see the blank page when loading login.microsoftonline.com?
If yes, that's a known issue with "integrity" method (browser dev tools > console > errors related to sha integrity will be recorded) of the Azure page which I believe resolved in the latest releases.
What is the firmware version of the VPN?
IIRC, it should happen only in chrome based browsers like Edge, Chrome, etc.
Can you please try using IE and see if the page loads?
[email protected] Hi, we're currently on 9.1R13, yes the blank page appears just after login to login.microsoftonline.com. As you suggested i tried IE and it worked, although a banner appears stating IE is not supported and i'll be logged out.
Do you think 9.1R13.1 fixes this? i checked the release notes and can only see HTML5 SSH fixed issues.
Hmm.. Interesting.. I just tested the setup in my lab device which is running 9.1R13 by accessing outlook.office.com which redirects me to login.microsoftonline.com and it works as expected (no blank page). So the blank page issue is not there in 9.1R13 code.
Do you have any rewrite filters applied? (Users >> Resource policies >> Web >> Rewriting filters).
If you don't have any, then please open a support ticket with us. Our support team should be able to provide you a rewrite filter that would resolve the issue.
[email protected] Hi... just checked and there is a rewrite policy, i believe its the standard rewrite policy (Initial Rewrite Policy) which is set to 'Rewrite content (auto-detect content type)' and is applied to all roles and all resources (*.*). Do you think this needs amended? or will i just log with suport to assist further?
Thanks for your help on this, cheers
[email protected] Ah sorry just realised the Rewriting filter is in a different section to the web rewrite policy. There is no rewrite filter, so i'll log with support to assist.
@NetworkBod Yes, please. Support team would help to debug this further. Ideally, it would be a rewrite filter.