Categories
News Technical

The Truth – Single Sign On with Outlook and Office 365

After many twists and turns on this bumpy road of setting up a Hybrid Deployment of Exchange Online with AD Sync and ADFS for SSO.  I am faced with yet another issue.

Let me tell you what does work with the single sign on:

  • Outlook via Web Access
  • Office 365 Portal
  • Office 365 SharePoint
  • Office 365 Yammer
  • Office 365 Web Apps
  • Office 365 Lync Online

For the most part any Office 365 web services offered using a web browser, as long as its Internet Explorer.

Missing from the above list of working items is Outlook! That’s right; Outlook doesn’t work.

In fact; users of Outlook will be prompted to enter their credentials on first use.  Let me break right here and describe first use.

First use is any time you open Outlook, you will be prompt for a password to log in.  Unless you save it.

In addition to having to save your password locally in the Windows Credential Manager, you will need to update this password which was saved each and every time you change your password.

This is not my understanding of what the term “Single Sign On” was to be. Good job to Microsoft’s Office 365 Marketing Team.  You had/have so many of us as believers.

At this time I am very disappointed about the Outlook prompts for password credentials. Perhaps they will fix in the future.

Research

I was able to find the following ADFS White Paper on Office 365 Single Sign-On with AD FS which should provide more details.

I also found info confirming that Outlook wasn’t designed to support Single Sign On.  It has even been quoted “The Office 365 experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.”KB2535227 (A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource)

I apologize for the somewhat rant; but felt I needed to share this before many of you waste a lot of time and investment on trying to get something like this working, to only find out one of the major reasons to use it doesn’t work.

Perhaps Microsoft should read the Internet more before misusing terms such as SSO.

“With SSO, a user logs in once and gains access to different applications, without the need to re-enter log-in credentials at each application.”

http://www.techopedia.com/definition/4106/single-sign-on-sso

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

http://en.wikipedia.org/wiki/Single_sign_on

Single signon takes away the need for the user to enter further authentications when switching from one application to another.”

http://www.webopedia.com/TERM/S/single_signon.html

Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords. Single sign-on reduces human error, a major component of systems failure and is therefore highly desirable but difficult to implement.

http://www.opengroup.org/security/sso/

– Jermal

18 replies on “The Truth – Single Sign On with Outlook and Office 365”

Companies spend a lot of time looking for the best solutions, this was not among the best of them. I have had this experience with Office 365. The marketing hype is misleading

Office 365 is cool, but like many products the marketing hype does not inform you about the little things that make the big difference.
Thanks for visiting and leaving a comment.

Best Regards to you

I just went through hell setting this up for a client assuming SSO would work with Outlook. Once everything was running and tested I fired up Outlook and lo and behold there is a password prompt. After digging and digging I come to find out that its not supported. Very big disappointment.

Hi, folks! How about SSO in Outlook 2010-2013 now? Does anybody implement its in his envoronment?
I`ve try last updated machines but Outlook 365 Hybrid users promt password any time when i started Outlook… 🙁

But you haven’t mentioned the worse part, you are send your password to Microsoft.. big no no if you care about security. And there is no solution even as of this writing for ActiveSync.. their are some very limited 3rd party solutions, however.

Hello,

We are planning to setup SSO using ADFS for Office 365 and it seems that there is option called ADAL / Modern authentication which connects outlook seamlessly with user name and password.

Have anyone tested it ?

Other than its being the default in Office 2016 I have not.

It seems this can be enabled for 2015 by modification of registry \common\identity\enableADAL dword 1. And \common\identity\version dword 1.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.