5.1 Security Considerations for Implementers
This protocol requires HTTPS. Not providing SSL will seriously affect the functionality of this protocol. The server will not answer Autodiscover queries unless the Autodiscover client has first authenticated with the Autodiscover server.
The GetFederationInformation operation has to be anonymous. The intent of the GetFederationInformation operation is to provide information to other organizations with the STS in common and instruct them as to how to request security tokens to authenticate against other services. Therefore, the caller needs to have access to the federation information without the need to authenticate first.