WS-Federation integration

IPI Enterprise Server integration - WS-Federation

Active Directory Federation Services (AD FS) is a Windows Server component that provides federated authentication and Single Sign-On (SSO). AD FS enables users to access various applications and services using a single set of credentials.

Protocols Supported by AD FS for SSO:

  1. SAML (Security Assertion Markup Language) – Used for exchanging authentication data between an Identity Provider (IdP) and a Service Provider (SP).

  2. WS-Federation – Designed for integration with Microsoft products.

  3. OAuth 2.0 – Used for modern mobile and web applications.

  4. OpenID Connect (OIDC) – Adds authentication capabilities on top of OAuth 2.0 for applications requiring login functionality.

There are two options for configuring login to Exchange OWA:

1. Direct Integration:

Configure login to Exchange OWA directly via IPI Identity Cloud as the Identity Provider using the SAML 2.0 protocol (2-tier architecture: Exchange OWA → SAML 2.0 → IPI Identity Cloud).

Advantages:

  1. No AD FS required: Eliminates the need for setting up and maintaining AD FS, simplifying the architecture and reducing maintenance costs.

  2. Simpler configuration: Without the additional AD FS component, the setup process is quicker and easier.

  3. Faster access to resources: Direct integration with IPI Identity Cloud reduces additional steps in the authentication process, providing quicker access to resources.

  4. Reduced latency: The direct integration model may lower response times compared to a multi-step architecture involving AD FS.

  5. Easier scalability: Scaling is simpler, as there’s no need to manage or expand an AD FS infrastructure for new integrations.

2. Through AD FS:

Configure login to Exchange OWA using AD FS with IPI Identity Cloud as the Identity Provider, utilizing the WS-Federation protocol (3-tier architecture: Exchange OWA → WS-Federation → AD FS → IPI Identity Cloud).

Advantages:

  1. Leverages existing AD FS infrastructure: If AD FS is already installed and configured, this option allows you to use the existing infrastructure without additional setup or changes.

  2. Integration with other Microsoft applications: If the organization already integrates other Microsoft products via AD FS, this option allows centralized authentication management for all applications, including Exchange OWA and others.

  3. Centralized access policy management: With AD FS in place, you can manage access policies and security measures centrally, ensuring consistent enforcement across all integrated services, including IPI Identity Cloud.

  4. Enhanced security: AD FS can be configured with additional security features like MFA, enhancing access protection for all connected resources.

  5. Convenient for organizations already using AD FS: This option is ideal for organizations with established AD FS configurations, allowing easy integration of IPI Identity Cloud as an external identity provider without major infrastructure changes.

Please see the official Microsoft Documentation about AD FS for more details.

PreviousOKTA (OIdC)NextConfigure Exchange Outlook Web Application and Exchange Admin Center

Last updated