SharePoint 2013 with ADFS
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

SharePoint 2013 with ADFS

  • 1,718 views
Uploaded on

My session material on using ADFS together with SharePoint 2013 at the SharePoint Saturday Stockholm 2014

My session material on using ADFS together with SharePoint 2013 at the SharePoint Saturday Stockholm 2014

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,718
On Slideshare
1,526
From Embeds
192
Number of Embeds
4

Actions

Shares
Downloads
63
Comments
0
Likes
3

Embeds 192

http://www.spsstockholm.com 187
http://www.linkedin.com 2
https://twitter.com 2
https://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SharePoint 2013 with ADFS #SPSSTHLM02 Thomas Vochten January 25th, 2014 SharePoint Saturday Stockholm
  • 2. Gold SharePint Bronze Raffle
  • 3. Authorization decisions are based on claims
  • 4. Classic Mode Authentication Claims Mode Authentication Windows Token Claims Token Default in SharePoint 2007, 2010 Default in SharePoint 2013
  • 5. Claim Claim Claim Claim Signature Name Age Location
  • 6. Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer © John Craddock
  • 7. Federation Single Sign On
  • 8. Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Partner AD FS 2.0 STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page © John Craddock
  • 9. ADFS Wiki on TechNet: http://thvo.me/adfswiki
  • 10. Windows Server 2008 R2 ADFS 2.0 (free download) Windows Server 2012 ADFS 2.1 (included) Windows Server 2012 R2 ADFS 3.0 (included) Configuration is stored in • Windows Internal Database (standalone) • SQL Server (farm) Install-WindowsFeature ADFS-Federation -IncludeManagementTools
  • 11. # Import the ADFS token signing certificate to SharePoint $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TokenSigning.cer") New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert # Define the claims type mappings $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" SameAsIncoming
  • 12. # Create the trusted identity provider $realm = "urn:sharepoint:spssthlm" $signInURL = "https://adfs01.lab.thvo.net/adfs/ls" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
  • 13. Implement a custom claims provider
  • 14. https://ldapcp.codeplex.com/
  • 15. i:0#.t|federation|thomasvochten i:0#.w|labthomasvochten © Wictor Wilén
  • 16. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlm-mysites") $ap.Update()
  • 17. $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("https://www.spssthlm.se/_trust/") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlmpublic") $ap.Update()
  • 18. $wa = Get-SPWebApplication https://spssthlm.lab.thvo.net $wa.CrossDomainPhotosEnabled = $true $wa.Update()
  • 19. #spssthlm #spssthlm02 @thomasvochten