MS-OFBA (Microsoft Office form-based authentication)

The MS-OFBA protocol provides a mechanism for native MS Office applications (e.g. Word, Excel, etc.) to establish an authenticated HTTP session with an MS-SharePoint server protected by the Airlock Secure Access Hub.

In combination with Airlock Gateway, Airlock IAM supports HTTP-based authentication via MS-OFBA. The IAM authentication process for MS-OFBA has been designed as a one-shot authentication flow, using the MS-OFBA One-Shot Target Application.

Limited Loginapp features available

Note that the MS-Office applications (e.g. Word) use outdated browser libraries (IE11 or IE8) that are not compatible with the AIrlock IAM Loginapp UI.

The Loginapp UI provides a very limited set of features available for MS-OFBA by offering a separate Loginapp front-end written in JavaScript. Currently, only username password authentication and mTAN as the second factor are supported.

If Microsoft does not update to newer browser libraries, MS-OFBA support may be removed from Airlock IAM in future versions.


The following example shows the simplified general workflow of an MS-OFBA authentication with a preconfigured Airlock Gateway and Airlock IAM.

MSOFBA_simplified workflow
  1. Step 1 (browser client) - Login for browser access to MS-SharePoint
  2. A user tries to access a SharePoint back-end with a browser. The user is redirected to the Loginapp window for the authentication of the browser session.
  3. After successful authentication, the content of the SharePoint back-end is accessible.
  1. Step 2 (MS-Office application) - Login over MS-OFBA for MS-Office application session
  2. The user decides to open an Office file for editing in an MS-Office application (e.g. Word).
  3. A native MS-Office application starts and creates a new HTTP session. The MS-OFBA protocol is initialized.
  4. A Loginapp window opens for authentication in the MS-Office application.
  5. After successful authentication, the MS-Office application downloads and opens the Office file.