Office 365 – The Single Sign On User Experience

Office 365 – The Single Sign On User Experience

We have had many conversations with our customers over the last 3 years about the Single Sign On (SSO) experience with Office 365, and what this looks like for the end user. This post provides some information on the user experience to access Outlook Web App in Office 365, and how the user experience works for login in the 2 main scenarios:

  1. 1. Access from the Corporate Network
  2. 2. Access from the internet (or other external networks).

The same process applies for other web based applications in Office 365, such as Yammer, SharePoint Online, OneDrive for Business Web App, as well as the other optional services such as PowerBI and Project Online.


CNI deliver the Single Sign On experience with Office 365 by leveraging Active Directory Federation Services (ADFS), a role in Windows Server. ADFS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. If you want to know more about our solution for SSO in Azure click here…


Access from the Corporate Network

The ADFS behaviour is most seamless when a user is logged in on the Corporate Network. In this instance, the user has logged in to the network using Active Directory.

  • When the user tries to access Outlook Web App (or any other web service in Office 365), they are presented with a login page as shown below:

Office365_Login

  • Once the user enters their username (which is remembered using the browser settings for future logins), the login page automatically detects that the login domain is federated for ADFS authentication and redirects to the company ADFS login page, which detects their token and automatically signs the user into the Office 365 Web Application.

Access from the internet

When the user tries to access Outlook Web App (or any other web service in Office 365) from outside the Corporate Network, the behaviour is slightly different.

  • Initially, the user is presented with same┬álogin page as the process before demonstrated, shown again below:

Office365_Login

  • Once the user enters their username (which is remembered using the browser settings for future logins), the login page automatically detects that the login domain is federated for ADFS authentication and redirects to the company ADFS login page, as shown below.

ADFS_Login

It is noted that this page remembers the email address previously entered, and users are only required to enter their domain (Active Directory) password to continue.

To see both scenarios end to end in action, watch the videos below.

Access from the Corporate Network

 

Access from the Internet

 

If you would like to know more, including how to extend this behaviour to leverage multi-factor authentication, please contact us.