Your SlideShare is downloading. ×
SharePoint 2013 with ADFS
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SharePoint 2013 with ADFS


Published on

We’ve all seen those next-next-finish demos of connecting SharePoint to ADFS. Just a few lines of PowerShell and you’re done, right? Not really. When you choose to implement SAML claims with …

We’ve all seen those next-next-finish demos of connecting SharePoint to ADFS. Just a few lines of PowerShell and you’re done, right? Not really. When you choose to implement SAML claims with SharePoint (because that’s what it is) there are a number of difficulties that you’ll need to overcome. The people picker doesn’t work anymore, user profile import becomes more complicated and even using some SharePoint apps will be problematic. We’ll also cover the infrastructure side like making it work with host named site collections, reverse proxy servers and federation with other user directories.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SharePoint 2013 with ADFS #spsuk @thomasvochten
  • 2. Thanks to our Sponsors
  • 3. About Me • SharePoint MVP • Platform architect • Trainer • Involuntary DBA @thomasvochten
  • 4. Agenda • Claims based identity in a nutshell • ADFS and SharePoint • Challenges • The road ahead
  • 5. Session Objectives • Benefits of claims based authentication • How ADFS can help your solution architecture • Know how to setup and configure ADFS • Setting up a trust between SharePoint and ADFS • Common issues, limitations and their solution • Getting to know the new wave of products around ADFS
  • 6. Claims based identity in a nutshell
  • 7. Claims based identity
  • 8. Claims based identity
  • 9. Claims based identity • Not a new concept • Claims provide abstraction • Authentication versus Authorization Authorization decisions are based on claims
  • 10. Some claims examples • Your name • Your email address • Your social security number • Your memberships • Your user account • Your booking reference • Your employment status •…
  • 11. Authorization based on tokens Classic Mode Authentication Claims Mode Authentication Windows Token Claims Token Default in SharePoint 2007, 2010 Default in SharePoint 2013
  • 12. Claims Token Claim Claim Name Age Location Claim Claim Signature
  • 13. Vocabulary • Claim • Security Token • Identity Provider (IdP) • Relying Party (RP) • Security Token Service (STS) • Realm
  • 14. Authentication vs Authorization AuthN AuthZ
  • 15. Claims in SharePoint 2013 3 types of claim providers • Windows • Trusted Provider (SAML) • Forms Based Authn Multiple Authn providers possible in the same zone Classic mode only via PowerShell
  • 16. Identity Normalization
  • 17. Windows Claims • NTLM or Kerberos are not dead • Single sign on in a domain environment • Used by SharePoint internally • Claims to Windows Token Service (c2wts)
  • 18. Trusted Provider Claims • SharePoint as relying party • Needs an external identity provider such as ADFS • Based on open standards (SAML, WS-*) • Login experience: browser redirects
  • 19. Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer © John Craddock
  • 20. Use Cases • Cloud (what did you think) • Extranets • Mergers & acquisitions • Cross-forest authentication • Replacement for domain trusts • Advanced identity scenario’s Federation Single Sign On
  • 21. Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Active Directory Partner AD FS 2.0 STS & IP Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page © John Craddock
  • 22. ADFS and SharePoint
  • 23. Solutions on the market • CA SiteMinder • Shibolleth • Oracle Access Manager • IBM Tivoli Access Manager • Active Directory Federation Services • Custom solutions using WIF •…
  • 24. Why ADFS ? • Natural candidate for SharePoint • Supports the necessary standards • Integration with Active Directory • Often used as a go-between • Powerful capabilities • Free with Windows Server license ADFS Wiki on TechNet:
  • 25. Simplified Logon Process with ADFS • User connects to SharePoint • SharePoint redirects to ADFS • ADFS checks username and password • ADFS creates a token, signs it and puts it in a cookie • ADFS redirects to SharePoint with that cookie • SharePoint STS validates & extracts the claims from the token • SharePoint STS creates another cookie for internal use (FedAuth) • SharePoint performs authorization • User connects to the web application
  • 26. Installing ADFS Windows Server 2008 R2 ADFS 2.0 (free download) Windows Server 2012 ADFS 2.1 (included) Windows Server 2012 R2 ADFS 3.0 (included) Configuration is stored in • Windows Internal Database (standalone) • SQL Server (farm) Install-WindowsFeature ADFS-Federation -IncludeManagementTools
  • 27. Configuring ADFS • Run the configuration wizard • Create or join a federation service • Specify a federation service name (URL)
  • 28. Prepare ADFS for SharePoint • Export the token signing certificate • Configure SharePoint as a relying party • Configure claim rules
  • 29. Demo Configure ADFS for SharePoint
  • 30. Prepare SharePoint for ADFS • Import the token signing certificate • Create a Trusted Security Token Issuer pointing to ADFS • Configure the web application to use ADFS • Configure administrator permissions
  • 31. Create the Trusted Security Token Issuer # Import the ADFS token signing certificate to SharePoint $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TokenSigning.cer") New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert # Define the claims type mappings $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "UPN" SameAsIncoming
  • 32. Create the Trusted Security Token Issuer # Create the trusted identity provider $realm = "urn:sharepoint:spsuk" $signInURL = "" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
  • 33. Demo Configure SharePoint for ADFS
  • 34. Challenges
  • 35. People Picker • Most significant functional difference • Will resolve any claim by default
  • 36. Custom Claims Provider Implement a custom claims provider
  • 37. Custom Claims Provider • Augmentation • Name resolution • Deployed as a solution file • Implements methods for searching in directories • Dependent on the “Microsoft SharePoint Foundation Web Application”
  • 38. Custom Claims Provider
  • 39. Claims Encoding i:0#.t|federation|thomasvochten i:0#.w|labthomasvochten
  • 40. Multiple web applications • Tying multiple web applications to the same Security Token Issuer • By default, only one realm is configured • Make sure you create a relying party in ADFS too $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spsukmysites") $ap.Update()
  • 41. Host Named Site Collections Treated like a web application in ADFS: relying party for every HNSC ! $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spsuk") $ap.Update()
  • 42. Cross web application authentication • The FedAuth cookie contains only a single domain • Cross-webapp requests are not authenticated automatically • You have to logon to both webapps first • OOB Solution for user profile pictures: $wa = Get-SPWebApplication $wa.CrossDomainPhotosEnabled = $true $wa.Update()
  • 43. Search • Search needs Windows Authentication to crawl • Configure multiple authentication methods or • Set up multiple zones
  • 44. Cookies • Session cookies vs persistent cookies • When do sessions expire? • Get-SPSecurityTokenServiceConfig
  • 45. Certificates • Import the signing certificate root into SharePoint too if needed • Import the SharePoint Root Authority certificate into the trusted issuers on the SharePoint box
  • 46. SharePoint Hosted Apps • SharePoint apps will not work for the scenario where SharePoint is using SAML authentication and the application itself is also hosted in SharePoint. However it WILL work if the SharePoint site is using SAML authentication and the application is hosted in Azure or providerhosted
  • 47. User Profile Service • Specify the ADFS server when configuring the import connection • No matching between logged on user & user in profile service • Check the “Claim User Identifier” in user profile properties
  • 48. Publishing to the internet • Federation service URL must be identical on the intranet / internet • Use Split DNS to achieve this goal • Publish ADFS directly or via an ADFS Proxy • UAG 2010 can be a ADFS proxy too
  • 49. Federation • A chain of trusted/trusting identity providers • Configure relying parties • Configure claims provider trusts • You probably want to play around with custom claim rules here
  • 50. Other tips • Choice of the unique identity claim is very important • Home realm discovery when federation with other directories • Always use SSL, it doesn’t work without it • Most backend systems don’t understand SAML claims
  • 51. Useful tools • ULSViewer • Fiddler
  • 52. Demo Common issues an their solutions
  • 53. The Road Ahead What’s new with Windows Server 2012 R2
  • 54. Windows Server 2012 R2 • New ADFS capabilities together • Closely connected to the Web Application Proxy (WAP) • WAP allows for preauthentication with ADFS • Does not use IIS anymore. • Meant to replace/complement UAG & ADFS Proxy in the future
  • 55. Demo Windows Server 2012 R2 - ADFS & Web Application Proxy
  • 56. Key Takeaways • Known the basics of claims based AuthN • Be aware: - custom claims providers - multiple web apps or HNSC - cookies - user profile service • ADFS does not only mean Active Directory • Not only for partner to partner federation scenario’s
  • 57. Q&A #spsuk @thomasvochten