SharePoint 2013 with ADFS

4,549 views
4,129 views

Published on

My session material on using ADFS together with SharePoint 2013 at the SharePoint Saturday Stockholm 2014

Published in: Technology

SharePoint 2013 with ADFS

  1. 1. SharePoint 2013 with ADFS #SPSSTHLM02 Thomas Vochten January 25th, 2014 SharePoint Saturday Stockholm
  2. 2. Gold SharePint Bronze Raffle
  3. 3. Authorization decisions are based on claims
  4. 4. Classic Mode Authentication Claims Mode Authentication Windows Token Claims Token Default in SharePoint 2007, 2010 Default in SharePoint 2013
  5. 5. Claim Claim Claim Claim Signature Name Age Location
  6. 6. Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer © John Craddock
  7. 7. Federation Single Sign On
  8. 8. Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Partner AD FS 2.0 STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page © John Craddock
  9. 9. ADFS Wiki on TechNet: http://thvo.me/adfswiki
  10. 10. Windows Server 2008 R2 ADFS 2.0 (free download) Windows Server 2012 ADFS 2.1 (included) Windows Server 2012 R2 ADFS 3.0 (included) Configuration is stored in • Windows Internal Database (standalone) • SQL Server (farm) Install-WindowsFeature ADFS-Federation -IncludeManagementTools
  11. 11. # Import the ADFS token signing certificate to SharePoint $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TokenSigning.cer") New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert # Define the claims type mappings $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" SameAsIncoming
  12. 12. # Create the trusted identity provider $realm = "urn:sharepoint:spssthlm" $signInURL = "https://adfs01.lab.thvo.net/adfs/ls" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
  13. 13. Implement a custom claims provider
  14. 14. https://ldapcp.codeplex.com/
  15. 15. i:0#.t|federation|thomasvochten i:0#.w|labthomasvochten © Wictor Wilén
  16. 16. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlm-mysites") $ap.Update()
  17. 17. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://www.spssthlm.se/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlmpublic") $ap.Update()
  18. 18. $wa = Get-SPWebApplication https://spssthlm.lab.thvo.net $wa.CrossDomainPhotosEnabled = $true $wa.Update()
  19. 19. #spssthlm #spssthlm02 @thomasvochten

×