I'm trying do some fact finding here. I'm currently trying to emlate the functions of a WAP 2012r2 / ADFS 2012r2 environment to authenticate to a windows integrated web application. OWA is prefect example. I'm also integrating strong authentication with ADFS via SAML to give OWA (or any WIA web app) strong authentication.
This is my setup with WAP 2012r2 / ADFS 3.0 / OWA 2010
Client Browser --> WAP --> (Needs auth) --> ADFS 3.0 --> (need auth) --> SAML IdP (authenticates) -->(send valid SAML ticket) --> ADFS 3.0 (authenticates user) (generates Kerberos ticket) --> (sends valid auth request & kerberos ticket) --> WAP --> (WAP holds and assoicates kerberose ticket to brower user session) --> WAP redirects brosers to OWA --> OWA validates kerberose ticket in WAP session and executes a SSO login --> Client now has access to OWA.
Does anybody know if this is possible (or something similar) with MWG?
I don't know all potential scenarios that might suit into this use case, but at the moment MWG can perform authentication, but cannot perform authentication against OWA in the backend. MWG cannot store/forward kerberos tickets on demand yet. Since a log of single sign on capabilities are added currently, in the future more options may be available.
Nevertheless MWG could probably provide some sort of strong(er) authentication. An (untested) example might be:
- User accesses webmail.mycompany.tld which terminates on MWG
- MWG enforces HTTPS if not already used by the requesting user
- MWG displays form to authenticate against Active Directory or any other possible authentication provider
- User types in Username + Password
- MWG sends SMS to user / User uses soft token to generate one time password
- User types in one time password obtained
- MWG validates username + password + one time password
- Access is granted
The question now is how to authenticate against OWA... I am not an exchange/IIS expert, but it should be possible to setup MWG to either fill the OWA authentication form with the previously supplied credentials or pick a client certificate for the authenticated user and use that to authenticate against Exchange.
Maybe someone else has some additional/better ideas :-)