Modern authentication with Microsoft Office 365 编辑

Secure Mail supports modern authentication with Microsoft Office 365 for Active Directory Federation Services (AD FS) or Identity Provider (IDP). Modern authentication is OAuth token-based authentication with user name and password. Secure Mail users with iOS devices can take advantage of certificate-based authentication when connecting to Office 365. When they sign on to Secure Mail, users authenticate by using a client certificate, instead of typing their credentials.

Before you proceed, do the following:

  1. Enable modern authentication (OAuth) for Microsoft Office 365.
  2. Enable Office 365 endpoints, URLS, and IP address ranges in your firewall to ensure optimum network connectivity. For details, see the Microsoft documentation on Office 365 URLs and IP address range.

Citrix Endpoint Management policy prerequisites

Enable the following policies in the Citrix Endpoint Management console:

For devices running iOS:

  • Office 365 authentication mechanism: Use this policy to indicate the OAuth mechanism used for authentication while configuring an account on Office 365. This policy has the following values that you must configure:

    • Do not use OAuth: Use this policy for basic authentication during account configuration.
    • Use OAuth with Username and Password: Use this policy for OAuth protocol during authentication. Users must provide their username and password and optionally a multifactor authentication code for the OAuth flow.
    • User OAuth with client Certificate: Use this policy if Office 365 is configured to perform certificate-based authentication. The default configuration is Do not use OAuth.

For devices running Android:

  • Use Modern authentication for O365: Use this policy for OAuth protocol during authentication.
  • Web SSO for tunneling policy: Use this policy to tunnel the OAuth traffic to go over Tunneled – Web SSO. To do so:
    • Set Use Web SSO for tunneling policy to On.
    • Select the Tunneled - Web SSO option in the Network access policy.
    • Exclude any hostnames related to OAuth from the Background services policy.

Policies common to iOS and Android devices:

  • Custom user agent for modern authentication: Use this policy to change the default user agent string for modern authentication.
  • Trusted Exchange Online Hostnames: Use this policy to define a list of trusted Exchange Online hostnames that use the OAuth mechanism for authentication while configuring an account. This is a comma-separated format, such as server.company.com, server.company.co.uk. This list can either contain a default value or vanity URLs, but cannot be empty. Default value is outlook.office365.com.
  • Trusted AD FS Hostnames: Use this policy to define a list of trusted AD FS hostnames for webpages where the password populates during Office 365 OAuth authentication. This is a comma-separated format, such as sts.companyname.com, sts.company.co.uk. If the list is empty, Secure Mail does not auto-populate passwords. Secure Mail matches the listed hostnames with the hostname of the webpage encountered during Office 365 authentication and checks if the page uses HTTPS protocol. For instance, when sts.company.com is a listed hostname and the user navigates to https://sts.company.com, Secure Mail populates the password, provided the page has a password field. The default value is login.microsoftonline.com.
  • Secure Mail Exchange Server: Use this policy to define the address of your Exchange Server. You can use this policy to define either the on-premise server address or the Cloud server address, based on your requirement.

Secure Mail for iOS is now enabled with modern authentication after the policies are refreshed on the device.

Limitations

  • If you are using modern authentication in your environment, the rich push notifications feature for iOS is not available. For details about rich push notifications, see Push notifications for Secure Mail.
  • Multiple accounts are not supported on setups running certificate-based authentication.

Secure Mail policies

The following two tables list the Secure Mail policies that are required based on your Exchange infrastructure:

Exchange InfrastructureOffice 365 authentication mechanism/ Use Modern authentication for O365Trusted AD FS Online HostnamesTrusted Exchange Online Hostnames
On-premisesOFFNANA
Hybrid*ONAD FS/IDPOutlook.office365.com or vanity URL
Exchange onlineONAD FS/IDPOutlook.office365.com or vanity URL
Exchange InfrastructureSecure Mail Exchange ServerBackground network services (iOS)Background network services (Android)
On-premisesExchange on-premises HostnameOn-premisesOn-premises
Hybrid*on-premises, Exchange online HostnamesOn-premises, Exchange on-premises HostnameOn-premises, Exchange on-premises Hostname, AD FS/IDP (Internal only)
Exchange onlineOutlook.office365.comExchange Online HostnamesExchange on-premises Hostname, AD FS, IDP

*Secure Mail supports a hybrid Exchange infrastructure with migrated mailboxes.

If on-premises users’ mailbox is migrated to Exchange online, Secure Mail automatically detects this change and prompts the users for modern authentication without the need for reconfiguring their account.

Secure Mail with OAuth support matrix

The following table lists the Secure Mail OAuth support matrix on iOS and Android devices:

Authentication typeIDP/External AD FSIDP/Internal AD FSAzure ADIntune
User name and passwordYesYesYesYes
Client certificateYesAndroid onlyNoNo

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:30 次

字数:8186

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文