ADFS Authentication with Office 365

  1. User go to an Office 365 url
  2. User is redirected to Microsoft Federation Gateway (
  3. User enter his UPN
  4. UPN is recognized by the MFG as a federated domain
  5. User is redirected to the ADFS Server
  6. User use his Kerberos TGT (Ticket Granted Ticket) ticket to authenticate
  7. ADFS send the TGT ticket to the domain controller
  8. ADFS receive a Service Ticket telling who is the user
  9. ADFS use the Service Ticket to query Active Directory for user attribute (UPN, First Name, Last Name, etc.)
  10.  ADFS build a SAML token with user attribute
  11. ADFS server post this SAML token via User browser to MFG
  12. MFG verifies the SAML token signature to validate that is the right ADFS server
  13. MFG create his own SAML token (UPN is inside)
  14. The MFG SMLA token is post back to Office 365 platform using the user browser
  15. Office 365 look for an account with the user UPN

Web Application Proxy – Pre-authentication feature

This article talk about Web Application Proxy but only on Windows Server 2012 R2, please review TechNet pages for other version.

ADFS Pre-authentication

  1. User access to a proxyfied application
  2. The web proxy contact ADFS to check Relying Part trust rules
  3. ADFS Server send back the validation
  4. The Web Application Proxy ask on behalf of the user to KDC a Kerberos Ticket
  5. The KDC sent back a Kerberos ticket if the user was validated
  6. The WAP forward the Kerberos Ticket to the web application
  7. The web server verify the Kerberos token and send the web page
  8. Proxy Forward the http flow to the user

Continue reading