Configure SAML for Microsoft enhanced client

SAML IdP with Microsoft enhanced client or proxy

Microsoft Office 365 allows you to manage Microsoft Exchange Online with the enhanced client or proxy (ECP). Enterprise Application Access (EAA) works with ECP to authenticate users through the EAA SAML IdP. In this setup, Microsoft Outlook acts as a normal dummy client so that Office 365 Azure-based service providers (SP) can interact with the EAA SAML IdP to authenticate the user. Certain desktop and mobile SaaS applications can use ECP to sign on to the SP, for example MacBook Mail client or Gmail app.

Configure Microsoft enhanced client or proxy in a SaaS application

Configure Microsoft enhanced client or proxy (ECP) in Enterprise Application Access (EAA) and view the ECP URL in the EAA metadata.

  1. Configure federation for the domain. Connect to Microsoft online services server and run a typical command to federate a session.

  2. Pass the Enhanced Client or Proxy (ECP) URL to the Active Log On URL. For example, https://<IDP-FQDN>/saml/idp/ecp. To do so, run a command in the Microsoft online services and get the ECP URL for the Active Log on URL.

  3. In the EAA Management Portal navigation menu, select Applications.

  4. On the application card, click Settings, and select SAML SETTINGS.

  5. In ECP settings, select Enable ECP.

  6. For Microsoft Office 365 configuration, select Sign only assertions.


    Microsoft Office 365 works only with Sign only assertions. For Microsoft Office 365 configuration, do not select Sign assertions and response envelope.

  7. Click Save and go to Deployment.
    The application status changes to Ready for deployment.

  8. In the Deployment tab, click Deploy application.

  9. Click Done.

  10. EAA adds the ECP URL to the metadata. To view the ECP URL in the metadata, return to the application and open it, click the SAML SETTINGS > Metadata > View.