To enable SSO to SharePoint Server, configure WS Federation claims-based authentication. In this configuration, Access Manager works as a WS Federation claims provider for SharePoint Server.
Access Manager contains a set of claims. Each claim represents a specific information about a user, such as username, group memberships, and role on the network. SharePoint supports claims-based authentication by obtaining the security token from the user and using the information within the claims to determine access to resources.
Perform the following steps:
Export the token signing certificate from Access Manager.
In Administration Console, click Devices > Identity Servers > Edit > Security.
Under Keystores, click Signing.
Under Certificates, click the certificate.
Click Export Pubic Certificate, select DER File, and save the file.
Make a note of where you have saved the certificate and copy this file to SharePoint Server for the later reference.
Import this signing certificate into Internet Explorer on SharePoint Server, and export it in the DER format.
Export the root certificate (and intermediates certificates if they exist) if it is different from the token signing certificate.
Click Devices > Identity Servers > Edit > Security.
Click NIDP Trust Store and select the required trusted root.
Click Export Pubic Certificate, select DER File, and save the file.
Make a note of the name and location of the file.
Import this trusted root certificate and intermediate certificates into Internet Explorer on SharePoint Server, and then export it in the DER format.
Export the server certificate from SharePoint Server.
Open IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager.
Under Connections, select your server’s hostname and double-click Server Certificates.
Export the server and trusted root certificates by highlighting the appropriate server and trusted root certificate and clicking View > Details > Copy to File > Next.
While exporting the server certificate, keep the default value No, do not export the private key.
Click Next. Keep the default format DER encoded binary X.509.
Specify the name and location for the exported certificates and click Next > Finish > OK.
Take a note of the name and location of the exported certificates. These certificates are used while configuring the service provider in Access Manager.
Perform the following steps to configure SharePoint Server in Access Manager as a service provider:
Enable WS Federation in Identity Server. Enabling this protocol also enables the Secure Token Service (STS) protocol that is used in requests from and responses to SharePoint Server.
Click Devices > Identity Servers > Edit.
In the Enabled Protocols section, select WS Federation.
Click OK.
Update Identity Server.
Create an attribute set for WS Federation.
Claims contain formatted name-value pairs. In Access Manager, an attribute set represents the same concept. An attribute set allows you to map attribute values from your configured LDAP user store to be sent to SharePoint as a claim.
When using WS Federation, you need to decide which attributes you want to share during authentication and map those in an attribute set. SharePoint uses these attributes to determine whether the user has permissions to access the applications and sites.
Perform the following steps to create an LDAP mail attribute and an All Roles attribute:
Click Devices > Identity Server > Shared Settings > Attribute Sets > New.
Specify the following details:
Field |
Description |
---|---|
Set Name |
Specify a name that identifies the purpose of the set. For example, SP2013-AttrSet. |
Select set to use as template |
Select None. |
Click Next.
To add a mapping for the mail attribute, perform the following steps:
Click New and specify the following details.
Field |
Description |
---|---|
Local attribute |
Select LDAP Attribute:mail [LDAP Attribute Profile]. |
Remote attribute |
Specify emailaddress. |
Remote namespace |
Select the option, and then specify the following namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
Click OK.
To add a mapping for the All Role attribute, perform the following steps:
Click New.
Specify the following details:
Field |
Description |
---|---|
Local attribute |
Select All Roles. |
Remote attribute |
Specify role. The name of the attribute that is used to share roles. |
Remote namespace |
Select the option and then specify the following namespace: http://schemas.xmlsoap.org/ws/2008/06/identity/claims |
Click OK.
Click Finish.
Enable the attribute set.
As WS Federation uses STS, you must enable the attribute set for STS.
Click Devices > Identity Server > Edit > WS Federation > STS Attribute Sets.
Select SP2013-AttrSet in Available attribute sets and move it to Attribute sets.
Select SP2013-AttrSet and move it to the top of the list by using the up arrow.
Click OK, and then update Identity Server.
Create a WS Federation service provider.
Click Devices > Identity Servers > Edit > WS Federation > New > Service Provider.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify a name that identifies the service provider. For example, sp2013. |
Provider ID |
Specify the provider ID of the SharePoint server. This value corresponds to the realm configured on SharePoint Server. It is visible in the incoming authentication requests from SharePoint Server to Identity Server. The example value is urn:SharePoint:portal. This value can be any logical string and is unique to this trust relationship. For example, if Access Manager is providing claims to multiple SharePoint environments, each SharePoint realm must be unique. |
Sign-on URL |
Specify the URL that the user is redirected to after login. You can construct this URL by adding _trust at the end of the SharePoint web application URL. For example, https://sp2013.com/_trust/ NOTE:If you use a different published DNS name than the SharePoint web application URL, then configure the sign-on URL as https://<published DNS Name:port/_trust/. |
Logout URL |
Do not specify any value. You need to configure the logout URL in SharePoint. See Configuring Logout. |
Service Provider |
Specify the path to the signing certificate exported from SharePoint Server. See Exporting the Certificates. |
Click Next.
Confirm the certificate, and then click Finish.
Configure the name identifier format.
The default format for a new WS Federation service provider is Unspecified. This name identifier format does not work with SharePoint Server 2013 and you must change it. Additionally, the roles claims must be satisfied to gain access to SharePoint Server.
Click Devices > Identity Servers > Edit > WS Federation > sp2013 > Attributes.
In Attribute set, select the WS Federation attribute set you created.
In Send with authentication, move All Roles and Ldap Attribute:mail attributes from Available to Send with authentication.
Click Apply.
Click Authentication Response.
Select E-mail and then select LDAP Attribute:mail [LDAP Attribute Profile].
Click OK > OK, and then update Identity Server.
Set up roles for SharePoint claims.
Based on roles assigned in Access Manager, users can have different levels of access to resources on SharePoint Server.
Click Devices > Identity Servers > Edit > Roles.
Click New, specify a name for the policy, select Identity Server: Roles, and then click OK.
On the Rule 1 page, leave Condition Group 1 blank.
This rule matches all authenticated users.
In the Actions section, click New > Activate Role, and then specify SharePointReader.
Click OK > OK > Apply Changes > Close.
On the Roles page, select the role policy you just created, and then click Enable.
Click OK, and then update Identity Server.
Import the SharePoint Server signing certificate into NIDP Truststore.
Identity Server must have the trusted root of the SharePoint signing certificate or the self-signed certificate listed in its trust store. Identity Server validates the SharePoint signing certificate at initialization time. This validation process must validate the issuer of the signing certificate (or chain of certificates up to the root). Most SharePoint signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the intermediate or trusted root of that certificate.
Click Devices > Identity Servers > Edit > General > Security > NIDP Trust Store.
Under Trusted Roots, click Add > Select Keystores icon.
Click Import and specify the following details:
Field |
Description |
---|---|
Certificate name |
Specify a logical name for the SharePoint trusted root. For example, SP2013-tr. |
Certificate data file (DER/PEM/PKCS7) |
Select the previously exported SharePoint trusted root certificate. |
Click OK.
On the Select Trusted Roots page, select the SharePoint trusted root certificate that you just imported, and then click Add Trusted Roots to Trust Stores.
NOTE:This option does not exist in Access Manger Appliance. All components (Identity Server, ESP, and Access Gateway share the same key store and trust stores.
Next to Trust store(s), click the Select Keystore icon.
Select the trust stores where you want to add the trusted root certificate and click OK > OK.
Update Identity Server.
Create the Access Manager Identity Server STS for the trust relationship with SharePoint.
Copy the certificates that you exported from Administration Console to the SharePoint server.
Add the Identity Server trusted root certificate to the SharePoint Server list of trusted root authorities by using the following PowerShell script:
$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\users\<administrator>\downloads\<certificate.cer>") New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root
Create the cert parameter by using the Identity Server signing certificate.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\users\<administrator>\downloads\<certificate.cer>")
Map the claims. The incoming claims are the remote attribute names that are defined in the Access Manger attribute set.
The name and the case must match with the value in the attribute mapping. For example, let us assume that you defined emailaddress and role and these are appended to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ and http://schemas.microsoft.com/ws/2008/06/identity/claims/ name spaces respectively.
In this example, the script to define the claims looks similar to the following:
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "emailaddress" -SameAsIncoming
Define the realm. The realm defined here must match the provider ID that you specified while creating the service provider in Access Manager. For example, you can define the realm as urn:SharePoint:portal by using PowerShell with the following script:
$realm = "urn:SharePoint:portal"
Configure the Access Manager URL by using the following parameter.
$signinurl = http(s)://<$idp_host_name>/nidp/wsfed/ep
When users access SharePoint with claims-based authentication enabled and need a claim to get authenticated and authorized, they need to send the request to Identity Server to generate the claim. SharePoint uses this URL to send the authentication requests.
Assign the custom IP-STS in PowerShell by using the following script:
$ap = New-SPTrustedIdentityTokenIssuer -Name "NAM-WSFED-IDP/" -Description "NAM WSFED Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2 -SignInUrl $signinurl -IdentifierClaim $map2.InputClaimType
The -Name option is the display name that is used in SharePoint to assign the identity provider.
Create or modify SharePoint applications to use the claims-based authentication.
The application, for which you want to enable claims-based authentication, must be a secure application that uses SSL. Ensure that you have assigned the server certificate (that you have imported into Access Manager) to the website binding in IIS.
You also need to create a Site Collection for this application if it does not exist. When the application is created as a secure application, it creates the /_trust directory that is defined in Access Manager as the service provider’s login directory.
Access Manager sends claim to this URL when the users credentials are validated successfully.
In SharePoint Central Administration, go to Manage Web Applications > [Application Name] and select Authentication Providers.
Select Trusted Identity provider and select the claim-based authentication provider. In Trusted Identity Provider, select the Access Manager identity provider (NAM-WSFED-IDP).
Map the incoming claim to a SharePoint application. For example, lets map the SharePointReader role from Access Manager to a SharePoint application named SP2013 Application.
Log in to the SharePoint site as an admin user.
Click Site Actions > Site Settings > People and Groups > [site] > New. Specify the name of the Access Manager claim that you want to map to this SharePoint group in Find. For example, if the name of the claim is SharePointReader, the following are the two claim-based entries:
NAM-WSFED-IDP entry with emailaddress
NAM-WSFED-IDP entry with Role as options
Highlight the role in Trusted and click Add > OK > OK.
Select the permissions for the users with these roles.