- User go to an Office 365 url
- User is redirected to Microsoft Federation Gateway (login.microsoftonline.com)
- User enter his UPN
- UPN is recognized by the MFG as a federated domain
- User is redirected to the ADFS Server
- User use his Kerberos TGT (Ticket Granted Ticket) ticket to authenticate
- ADFS send the TGT ticket to the domain controller
- ADFS receive a Service Ticket telling who is the user
- ADFS use the Service Ticket to query Active Directory for user attribute (UPN, First Name, Last Name, etc.)
- ADFS build a SAML token with user attribute
- ADFS server post this SAML token via User browser to MFG
- MFG verifies the SAML token signature to validate that is the right ADFS server
- MFG create his own SAML token (UPN is inside)
- The MFG SMLA token is post back to Office 365 platform using the user browser
- Office 365 look for an account with the user UPN