Microsoft Exchange via WS-Federation application setup
Introduction
You can use HelloID as an Identity Provider (IdP) for Microsoft Exchange, using WS-Federation (Web Services Federation).
This configuration requires communication with Tools4ever support.
Requirements
HelloID environment
Exchange 2016 or 2019 environment with full administrative rights
Create or import a certificate
Import a trusted certificate into HelloID. Name it
Exchange. (If you aren't able to use a trusted certificate, then instead create or import a self-signed certificate. In this case, you will need to add the self-signed certificate as a trusted root certificate on all CAS servers. We recommend using a trusted certificate if possible.)Download the certificate as a DER Encoded binary X.509 (.CER) file.
Save the .CER file to the Exchange server and make note of its location. You will need it shortly.
Download the certificate as a Personal Information Exchange (.PFX) file.
Supply it to Tools4ever support. Tools4ever will convert the .PFX certificate into a format compatible with the Exchange server, and send you a copy.
When you receive the converted certificate, import it into HelloID. Name it
Exchange WS-Federation.Note: This is required to be without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Ignore any certificate errors.
Application setup
Open the HelloID application catalog.
Add the Generic WS Federation application.
General tab
For the Default Login URL, enter your Outlook Web Access URL. For example:
https://outlook.customer.com/owa
Single Sign On tab
For the Realm field, enter your Outlook Web Access URL. For example:
https://outlook.customer.com/owa.For the Endpoint URL field, enter your Outlook Web Access URL. For example:
https://outlook.customer.com/owa.For the X509 Certificate field, select the Exchange WS-Federation certificate you received from Tools4ever support.
Save the application.
Change mappings
Edit the mapping set of the new WS Federation application.
Select the Change mappings link.
Remove all existing mappings.
Add a mapping for
{{user.immutableId}} > Primary Sid.Add a mapping for
{{user.contactEmail}} > Upn.
Add additional custom mappings as desired.
Select the Set Identifier link.
Remove the existing mapping.
Add a mapping for
{{user.contactEmail}} > Name ID.
Select the Close link, and then select the Save button.
Exchange server configuration
Install the certificate you previously copied to the Exchange server.
Open the Certificates snap-in.
Double-click the added certificate.
Select the Details tab.
Select the Thumbprint field and copy its hex value.
Create a new PowerShell script on your Exchange server. Paste the following code into it:
$issuer = "https://{location}-identity.helloid.cloud/service/identity-server/wsfederation/{tenant_id}/{application_guid}" $audience = "https://{exchange}/owa/","https:// {exchange}/ecp/" $cert = '{thumbprint}' Set-OrganizationConfig -AdfsIssuer $issuer -AdfsAudienceUris $audience -AdfsSignCertificateThumbprint $cert Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $falseReplace
$issuerwith the value provided by Tools4ever along with your converted certificate.Set
$audienceaccording to your Exchange environment.Set
$certto the value of the Thumbprint you copied earlier.Restart the Exchange webservices according to the PowerShell output.
Exchange control panel
If you would like to add the Exchange control panel as an additional application in HelloID, repeat the steps in the Application setup section, above. Set the application's Default Login URL, Realm, and Endpoint URL to the Exchange control panel URL.