Assurance

[Brian Arkills <>]

I'd note that this issue is present regardless of whether you use ADFS, Shibboleth, some other SAML identity provider not explicitly supported by Azure Active Directory, or the more obvious case where you stick the credentials in AAD. It's a function of the active profile used by Outlook, other mail clients, and the Lync fat client that they have no other way to do federated authentication except by having the service proxy that authentication for them.

 

From: [mailto:] On Behalf Of Etan Weintraub
Sent: Wednesday, March 06, 2013 11:38 AM
To: ''
Subject: [Assurance] Passwords and Office365

 

Hi all-

We are in the process of implementing Office365 here at Hopkins, and based on the implementation guides, I had a question as to its impact on our ability to get Silver Assurance, so I figured I would ask here and see if anyone could give me an answer.

 

Basically, according to the information I can gleam, even using ADFS, at certain points (i.e. when using a mobile device to connect to the email service) the username and password are first sent to Microsoft servers, then back in to our environment and servers for authentication. Given that the username and password would be shipped securely (we are confirming that we can turn off all non-secure access points, but believe that it is available to do), but is “intercepted” and proxied through to our servers by the Microsoft servers, would this become an non-auditable point, and therefore potentially eliminate us from being able to get Silver?

 

-Etan E. Weintraub

Sr. Systems Engineer

Directory Architecture

IT@Johns Hopkins

Johns Hopkins at Mt. Washington

5801 Smith Ave.

Suite 3110B

Baltimore, MD 21209

Phone: 410-735-7945

E-mail: