SAML IdP with Microsoft enhanced client or proxy

Microsoft Office 365 allows you to manage Microsoft Exchange Online with the enhanced client or proxy (ECP). Enterprise Application Access (EAA) works with ECP to authenticate users through the EAA SAML IdP. In this setup, Microsoft Outlook acts as a normal dummy client so that Office 365 Azure-based service providers (SP) can interact with the EAA SAML IdP to authenticate the user. Certain desktop and mobile SaaS applications can use ECP to sign on to the SP, for example MacBook Mail client or Gmail app.

Configure Microsoft enhanced client or proxy in a SaaS application

Configure Microsoft enhanced client or proxy (ECP) in Enterprise Application Access (EAA) and view the ECP URL in the EAA metadata.

1. Configure federation for the domain. Connect to Microsoft online services server and run a typical command to federate a session.

2. Pass the Enhanced Client or Proxy (ECP) URL to the Active Log On URL. For example, https://<IDP-FQDN>/saml/idp/ecp. To do so, run a command in the Microsoft online services and to get the ECP URL for the Active Log on URL.

3. Log in to Enterprise Center.

4. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

5. Select your application to open it.

6. Select SAML settings.

7. In ECP settings, select Enable ECP.

8. For Microsoft Office 365 configurations, select Sign only assertions.

   📘

   For Microsoft Office 365 configurations, do not select Sign assertions and response envelope. Microsoft Office 365 works only with Sign only assertions.

9. Click Save and Deploy.

Enterprise Application Access adds the ECP URL to the metadata. To view the ECP URL in the metadata, return to the application and open it, click the SAML settings > Metadata > View.