In setting up SSO for Office 365, in order to make Chrome and Firefox access services on the Intranet, Extended Protection for Authentication must be disabled on the ADFS sever.
As the ADFS server is only accessible on the Intranet, and any external logins are handled by the ADFS proxy server, is there a major security concern in regards to turning Extended Protection off?
I think you don't have to disable (ExtendedProtectionTokenCheck=None) extended protection, you just need to make it optional (Allow instead of Require).
This allows to connect incompatible clients without this protection (and vulnerable to MITM) but also allows InternetExplorer to use the additional protection. However there is no way to enforce this on the client, so it gets vulnerable to a downgrade I think.
An idea would be, that you have a special endpoint which allows skipping extended protection but will not be used by regular clients. Then only your alien clients will be vulnerable to the MITM problem. Depending on other factors this might be however not a big risk. If your employees are used to go to lunch without locking their screens you don't have to worry about it :)
MS Documentation is here: http://technet.microsoft.com/en-us/library/hh852537.aspx
