Link to home
Start Free TrialLog in
Avatar of compdigit44
compdigit44

asked on

Office 365 SSO and Shared Devices

My organization of 9000+ users is in the very early stages of setting up a pilot for o365 and plan on using ADFS for SSO. There is one problem that we have noticed and wanted to get others feedback on how they have handled it.

With SSO when a user access a devices that is "shared" with other user and open a browser to access OWA it will automatically sign in with the logged in user account. Is there any way to allow SSO for the Outlook client but not for OWA?
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of compdigit44
compdigit44

ASKER

Sorry for the confusion..we have some workstation which are called shared used devices. They are locked down devices which staff can access to check ther email via or intranet page inbetween patient. All normal workstation are single use  device. Question in on these shared devices how can we have OWA in o365 prompt the user for login info?
Please see item number 8 in the following article: https://www.gov.uk/government/publications/microsoft-office-365-security-guidance/microsoft-office-365-security-guidance-single-sign-on-and-remote-access is it possible to change the cookie TTL value in OWA that would for the user to log in again regardless of the user account logged into the workstation?
I found the following article online which discussed a similar issue that I am faces of uses o365 / OWA with devices with shared account / kiosk devices

https://jesperstahle.azurewebsites.net/?p=452               

They mentioned about change the I.E site assocation  for the ADFS zone from intranet to internet which would not auto login the user and force a login prompt.

Question
1) How would this affect other Relying parties we have setup in ADFS/
2) In o365 owa can you specify how long a session is valid for before the session cookies expires?
I have confirmed that if I move my sta.domain.com ADFS URL to the I.E Internet zone it does for a login prompt when access OWA, which it GREAT!!!

The problem is I have other domain we use ADFS for and now SSO does not work for them. I do not think this is possible but  is possible to have I.E or some other means  pass credentials to all site expect one? For example sts.domain.com would pass SSO info to all domains accept 0365 OWA.

If this does not workout my only other idea would be to setup MFA for OWA but is it possible to set it up for a double password prompt or something base since we are not using MFA now