We can bypass the first sign in to Microsoft and ensure SSO when accessing Office365 services, thus improving the overall user experience.
Basically we have 3 options to provide an sign in without users are required to type in their initial email address, in order to start the federated discovery process:
- Office365 Auto-Acceleration – is activated for federated o365 domain (Not covered in this post)
- Office 365 SmartLinks
- NetScaler FormBased SSO to Office365 (soon to be covered in another post on this site)
In this blog post we will look into using Smart Links that we could implement as a Web Link or add to Favorites in the Secure Web MDX app in XenMobile. This will also work from a Desktop client browser.
- ADFS is setup and configured to support Windows Authentication from multiple browsers incl. Secure Web (supported user-agent property in ADFS 3.0+)
So SmartLinks to Office365 services includes a pre-defined URL tellling Microsoft O365 login services where to authenicate user (federated domain) instead of waiting for user input in the login form (login.microsoftonline.com).
An online tool to generate smart links to O365 can be found here:
Test the newly generated link, from a desktop environment and from a Secure Web session delivered from XenMobile.
Traffic flow in XenMobile scenario (High-level):
- User launches Secure Web
- Secure Web establishes via Secure Hub a MicroVPN session towards the NetScaler Gateway
- Authentication happens with passing credentials from Secure Hub.
- User click the link we provided to Office 365 and is redirected and authenticated with SSO to the Office365 service.