We are using R12.7 SSO Policy Server with R12.7 Access Gateway in client's environment and now requirement is to do O365 integration using federation services with CA Access Gateway. Some of the queries below if someone can help:
For Poc:
1) Can we do POC with Microsoft Test Tennat which has one month free subscriptiop. Also For doing POC with Test Tennat, do we need to register Domain for test tennat with ISP.
2) Can we do POC without user sync, like manual approch of adding test user in Azure AD with same attributes.
For Actual Implementation:
1) Do we really need "DMZ Proxy" and STS services on Internet if organization want O365 access to be restrcited to with in the network only. I understand this is not a good option but somehow business want this way.
2) Do we really need to do separate setup for IWA (Integrated Windows Authentication) that uses NTLM ?? The reason I am asking is, I can see in documentation that STS needs to be enabled with IWA using KDC with below steps:
Configure the CA Access Gateway Administrative UI.
a.Open the CA Access Gateway Administrative UI, navigate to Web Services, and Security Token Service.
b.Configure the following fields in the STS IWA Configuration section:
KDC Address: Defines the fully qualified domain name and port of the KDC.
Kerberos Realm: Defines domain name of the KDC machine.
Keytab: Defines the path to the Keytab file that you generated.
Principal: Defines the Service Principal Name (SPN) value that a client uses to uniquely identify a service instance. Example, HTTP/casso-sps.caofficedemos.com
Where,
HTTP: Indicates the service name.
casso-sps.caofficedemos.com: Indicates the CA Access Gateway fully qualified host name.
3) How the solution work for Mobile users ?
Any further guidance for O365 integration will be of great help.
Thanks,
Sachin