Hello,
I've recently been researching methods to provide federated authentication to users of a multi-tenanted Exchange & Lync environment. Currently I am tackling the first challenge which is OWA. I have used the following guides:
http://allmsft.blogspot.com/2012/02/owa-sp2-and-adfs.html
http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html
Combined with some other various guides on general ADFS configuration in order to successively configure OWA to allow for ADFS 2.0 to authenticate using the "Claims To Windows Token Service" integration with the OWA site in order to authenticate.
This seems promising, from my novice perspective I am assuming that enabling federation with another domain would simply be a matter of adding the other domain's ADFS 2.0 Proxy as a claims provider trust on the ADFS server in which Exchange exists and then having a mailbox in the exchange domain which has the UPN that gets passed through from the proxy server.
I've done this much and I am able to authenticate on the ADFS 2.0 proxy page of the user domain, however I am getting a failure which I think is coming from the WIF part of the OWA integration:
RequestUrl: https://webmail.lab1.local:443/owa/
User host address: 192.168.23.77
OWA version: 14.2.247.5
Exception
Exception type: System.IdentityModel.Tokens.SecurityTokenException
Exception message: ID1054: The IClaimsIdentity did not contain a valid UPN Claim. The automatic Windows identity mapping feature requires exactly one non-empty UPN Claim to be provided.
Call stack
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I am wondering whether this is an issue with the way that I have the Claim Provider setup, or if it's simply an issue with the claim rules either on the Claim Provider or on the Relying Party Trust within the ADFS 2.0 server in the user domain for the Exchange domain's ADFS 2.0 STS url.
I realize that providing ADFS 2.0 for Outlook, Activesync, and Lync are a whole other animal. If anyone knows of anyone who has actually published a guide on how to achieve this or possibly a third party product that provides the same result I'd appreciate that information as well.