SharePoint 2013 with ADFS
#SPSSTHLM02
Thomas Vochten
January 25th, 2014

SharePoint Saturday

Stockholm
Gold

SharePint

Bronze
Raffle
Authorization decisions are based on claims
Classic Mode Authentication

Claims Mode Authentication

Windows Token

Claims Token

Default in SharePoint 2007,
2010

De...
Claim
Claim
Claim

Claim
Signature

Name
Age
Location
Issuer IP-STS
Identity Provider (IP)
Security Token Service (STS)

Requests token for AppX

User / Subject /Principal

The...
Federation

Single Sign On
Your
Claims-aware app

Partner
user

Your
AD FS 2.0 STS

App trusts STS

Browse app

Partner
AD FS 2.0 STS & IP

Active
Di...
ADFS Wiki on TechNet: http://thvo.me/adfswiki
Windows Server 2008 R2

ADFS 2.0 (free download)

Windows Server 2012

ADFS 2.1 (included)

Windows Server 2012 R2

ADFS 3...
# Import the ADFS token signing certificate to SharePoint
$cert = New-Object System.Security.Cryptography.X509Certificates...
# Create the trusted identity provider
$realm = "urn:sharepoint:spssthlm"
$signInURL = "https://adfs01.lab.thvo.net/adfs/l...
Implement a
custom claims
provider
https://ldapcp.codeplex.com/
i:0#.t|federation|thomasvochten
i:0#.w|labthomasvochten

© Wictor Wilén
$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"
$uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/"...
$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"
$uri = new-object System.Uri("https://www.spssthlm.se/_trust/")
$ap.Provider...
$wa = Get-SPWebApplication https://spssthlm.lab.thvo.net
$wa.CrossDomainPhotosEnabled = $true
$wa.Update()
#spssthlm #spssthlm02
@thomasvochten
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
SharePoint 2013 with ADFS
Upcoming SlideShare
Loading in...5
×

SharePoint 2013 with ADFS

2,543

Published on

My session material on using ADFS together with SharePoint 2013 at the SharePoint Saturday Stockholm 2014

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,543
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
102
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

SharePoint 2013 with ADFS

  1. 1. SharePoint 2013 with ADFS #SPSSTHLM02 Thomas Vochten January 25th, 2014 SharePoint Saturday Stockholm
  2. 2. Gold SharePint Bronze Raffle
  3. 3. Authorization decisions are based on claims
  4. 4. Classic Mode Authentication Claims Mode Authentication Windows Token Claims Token Default in SharePoint 2007, 2010 Default in SharePoint 2013
  5. 5. Claim Claim Claim Claim Signature Name Age Location
  6. 6. Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer © John Craddock
  7. 7. Federation Single Sign On
  8. 8. Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Partner AD FS 2.0 STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page © John Craddock
  9. 9. ADFS Wiki on TechNet: http://thvo.me/adfswiki
  10. 10. Windows Server 2008 R2 ADFS 2.0 (free download) Windows Server 2012 ADFS 2.1 (included) Windows Server 2012 R2 ADFS 3.0 (included) Configuration is stored in • Windows Internal Database (standalone) • SQL Server (farm) Install-WindowsFeature ADFS-Federation -IncludeManagementTools
  11. 11. # Import the ADFS token signing certificate to SharePoint $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TokenSigning.cer") New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert # Define the claims type mappings $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" SameAsIncoming
  12. 12. # Create the trusted identity provider $realm = "urn:sharepoint:spssthlm" $signInURL = "https://adfs01.lab.thvo.net/adfs/ls" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
  13. 13. Implement a custom claims provider
  14. 14. https://ldapcp.codeplex.com/
  15. 15. i:0#.t|federation|thomasvochten i:0#.w|labthomasvochten © Wictor Wilén
  16. 16. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlm-mysites") $ap.Update()
  17. 17. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://www.spssthlm.se/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlmpublic") $ap.Update()
  18. 18. $wa = Get-SPWebApplication https://spssthlm.lab.thvo.net $wa.CrossDomainPhotosEnabled = $true $wa.Update()
  19. 19. #spssthlm #spssthlm02 @thomasvochten
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×