compdigit44
asked on
Office 365 SSO and Shared Devices
My organization of 9000+ users is in the very early stages of setting up a pilot for o365 and plan on using ADFS for SSO. There is one problem that we have noticed and wanted to get others feedback on how they have handled it.
With SSO when a user access a devices that is "shared" with other user and open a browser to access OWA it will automatically sign in with the logged in user account. Is there any way to allow SSO for the Outlook client but not for OWA?
With SSO when a user access a devices that is "shared" with other user and open a browser to access OWA it will automatically sign in with the logged in user account. Is there any way to allow SSO for the Outlook client but not for OWA?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please see item number 8 in the following article: https://www.gov.uk/government/publications/microsoft-office-365-security-guidance/microsoft-office-365-security-guidance-single-sign-on-and-remote-access is it possible to change the cookie TTL value in OWA that would for the user to log in again regardless of the user account logged into the workstation?
ASKER
I found the following article online which discussed a similar issue that I am faces of uses o365 / OWA with devices with shared account / kiosk devices
https://jesperstahle.azurewebsites.net/?p=452
They mentioned about change the I.E site assocation for the ADFS zone from intranet to internet which would not auto login the user and force a login prompt.
Question
1) How would this affect other Relying parties we have setup in ADFS/
2) In o365 owa can you specify how long a session is valid for before the session cookies expires?
https://jesperstahle.azurewebsites.net/?p=452
They mentioned about change the I.E site assocation for the ADFS zone from intranet to internet which would not auto login the user and force a login prompt.
Question
1) How would this affect other Relying parties we have setup in ADFS/
2) In o365 owa can you specify how long a session is valid for before the session cookies expires?
ASKER
I have confirmed that if I move my sta.domain.com ADFS URL to the I.E Internet zone it does for a login prompt when access OWA, which it GREAT!!!
The problem is I have other domain we use ADFS for and now SSO does not work for them. I do not think this is possible but is possible to have I.E or some other means pass credentials to all site expect one? For example sts.domain.com would pass SSO info to all domains accept 0365 OWA.
If this does not workout my only other idea would be to setup MFA for OWA but is it possible to set it up for a double password prompt or something base since we are not using MFA now
The problem is I have other domain we use ADFS for and now SSO does not work for them. I do not think this is possible but is possible to have I.E or some other means pass credentials to all site expect one? For example sts.domain.com would pass SSO info to all domains accept 0365 OWA.
If this does not workout my only other idea would be to setup MFA for OWA but is it possible to set it up for a double password prompt or something base since we are not using MFA now
ASKER