SharePoint 2013 with ADFS


Published on

We’ve all seen those next-next-finish demos of connecting SharePoint to ADFS. Just a few lines of PowerShell and you’re done, right? Not really. When you choose to implement SAML claims with SharePoint (because that’s what it is) there are a number of difficulties that you’ll need to overcome. The people picker doesn’t work anymore, user profile import becomes more complicated and even using some SharePoint apps will be problematic. We’ll also cover the infrastructure side like making it work with host named site collections, reverse proxy servers and federation with other user directories.

Published in: Technology

SharePoint 2013 with ADFS

  1. 1. SharePoint 2013 with ADFS #spsuk @thomasvochten
  2. 2. Thanks to our Sponsors
  3. 3. About Me • SharePoint MVP • Platform architect • Trainer • Involuntary DBA @thomasvochten
  4. 4. Agenda • Claims based identity in a nutshell • ADFS and SharePoint • Challenges • The road ahead
  5. 5. Session Objectives • Benefits of claims based authentication • How ADFS can help your solution architecture • Know how to setup and configure ADFS • Setting up a trust between SharePoint and ADFS • Common issues, limitations and their solution • Getting to know the new wave of products around ADFS
  6. 6. Claims based identity in a nutshell
  7. 7. Claims based identity
  8. 8. Claims based identity
  9. 9. Claims based identity • Not a new concept • Claims provide abstraction • Authentication versus Authorization Authorization decisions are based on claims
  10. 10. Some claims examples • Your name • Your email address • Your social security number • Your memberships • Your user account • Your booking reference • Your employment status •…
  11. 11. Authorization based on tokens Classic Mode Authentication Claims Mode Authentication Windows Token Claims Token Default in SharePoint 2007, 2010 Default in SharePoint 2013
  12. 12. Claims Token Claim Claim Name Age Location Claim Claim Signature
  13. 13. Vocabulary • Claim • Security Token • Identity Provider (IdP) • Relying Party (RP) • Security Token Service (STS) • Realm
  14. 14. Authentication vs Authorization AuthN AuthZ
  15. 15. Claims in SharePoint 2013 3 types of claim providers • Windows • Trusted Provider (SAML) • Forms Based Authn Multiple Authn providers possible in the same zone Classic mode only via PowerShell
  16. 16. Identity Normalization
  17. 17. Windows Claims • NTLM or Kerberos are not dead • Single sign on in a domain environment • Used by SharePoint internally • Claims to Windows Token Service (c2wts)
  18. 18. Trusted Provider Claims • SharePoint as relying party • Needs an external identity provider such as ADFS • Based on open standards (SAML, WS-*) • Login experience: browser redirects
  19. 19. Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer © John Craddock
  20. 20. Use Cases • Cloud (what did you think) • Extranets • Mergers & acquisitions • Cross-forest authentication • Replacement for domain trusts • Advanced identity scenario’s Federation Single Sign On
  21. 21. Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Active Directory Partner AD FS 2.0 STS & IP Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page © John Craddock
  22. 22. ADFS and SharePoint
  23. 23. Solutions on the market • CA SiteMinder • Shibolleth • Oracle Access Manager • IBM Tivoli Access Manager • Active Directory Federation Services • Custom solutions using WIF •…
  24. 24. Why ADFS ? • Natural candidate for SharePoint • Supports the necessary standards • Integration with Active Directory • Often used as a go-between • Powerful capabilities • Free with Windows Server license ADFS Wiki on TechNet:
  25. 25. Simplified Logon Process with ADFS • User connects to SharePoint • SharePoint redirects to ADFS • ADFS checks username and password • ADFS creates a token, signs it and puts it in a cookie • ADFS redirects to SharePoint with that cookie • SharePoint STS validates & extracts the claims from the token • SharePoint STS creates another cookie for internal use (FedAuth) • SharePoint performs authorization • User connects to the web application
  26. 26. Installing ADFS Windows Server 2008 R2 ADFS 2.0 (free download) Windows Server 2012 ADFS 2.1 (included) Windows Server 2012 R2 ADFS 3.0 (included) Configuration is stored in • Windows Internal Database (standalone) • SQL Server (farm) Install-WindowsFeature ADFS-Federation -IncludeManagementTools
  27. 27. Configuring ADFS • Run the configuration wizard • Create or join a federation service • Specify a federation service name (URL)
  28. 28. Prepare ADFS for SharePoint • Export the token signing certificate • Configure SharePoint as a relying party • Configure claim rules
  29. 29. Demo Configure ADFS for SharePoint
  30. 30. Prepare SharePoint for ADFS • Import the token signing certificate • Create a Trusted Security Token Issuer pointing to ADFS • Configure the web application to use ADFS • Configure administrator permissions
  31. 31. Create the Trusted Security Token Issuer # Import the ADFS token signing certificate to SharePoint $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:TokenSigning.cer") New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert # Define the claims type mappings $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "UPN" SameAsIncoming
  32. 32. Create the Trusted Security Token Issuer # Create the trusted identity provider $realm = "urn:sharepoint:spsuk" $signInURL = "" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
  33. 33. Demo Configure SharePoint for ADFS
  34. 34. Challenges
  35. 35. People Picker • Most significant functional difference • Will resolve any claim by default
  36. 36. Custom Claims Provider Implement a custom claims provider
  37. 37. Custom Claims Provider • Augmentation • Name resolution • Deployed as a solution file • Implements methods for searching in directories • Dependent on the “Microsoft SharePoint Foundation Web Application”
  38. 38. Custom Claims Provider
  39. 39. Claims Encoding i:0#.t|federation|thomasvochten i:0#.w|labthomasvochten
  40. 40. Multiple web applications • Tying multiple web applications to the same Security Token Issuer • By default, only one realm is configured • Make sure you create a relying party in ADFS too $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spsukmysites") $ap.Update()
  41. 41. Host Named Site Collections Treated like a web application in ADFS: relying party for every HNSC ! $ap = Get-SPTrustedIdentityTokenIssuer "ADFS" $uri = new-object System.Uri("") $ap.ProviderRealms.Add($uri, "urn:sharepoint:spsuk") $ap.Update()
  42. 42. Cross web application authentication • The FedAuth cookie contains only a single domain • Cross-webapp requests are not authenticated automatically • You have to logon to both webapps first • OOB Solution for user profile pictures: $wa = Get-SPWebApplication $wa.CrossDomainPhotosEnabled = $true $wa.Update()
  43. 43. Search • Search needs Windows Authentication to crawl • Configure multiple authentication methods or • Set up multiple zones
  44. 44. Cookies • Session cookies vs persistent cookies • When do sessions expire? • Get-SPSecurityTokenServiceConfig
  45. 45. Certificates • Import the signing certificate root into SharePoint too if needed • Import the SharePoint Root Authority certificate into the trusted issuers on the SharePoint box
  46. 46. SharePoint Hosted Apps • SharePoint apps will not work for the scenario where SharePoint is using SAML authentication and the application itself is also hosted in SharePoint. However it WILL work if the SharePoint site is using SAML authentication and the application is hosted in Azure or providerhosted
  47. 47. User Profile Service • Specify the ADFS server when configuring the import connection • No matching between logged on user & user in profile service • Check the “Claim User Identifier” in user profile properties
  48. 48. Publishing to the internet • Federation service URL must be identical on the intranet / internet • Use Split DNS to achieve this goal • Publish ADFS directly or via an ADFS Proxy • UAG 2010 can be a ADFS proxy too
  49. 49. Federation • A chain of trusted/trusting identity providers • Configure relying parties • Configure claims provider trusts • You probably want to play around with custom claim rules here
  50. 50. Other tips • Choice of the unique identity claim is very important • Home realm discovery when federation with other directories • Always use SSL, it doesn’t work without it • Most backend systems don’t understand SAML claims
  51. 51. Useful tools • ULSViewer • Fiddler
  52. 52. Demo Common issues an their solutions
  53. 53. The Road Ahead What’s new with Windows Server 2012 R2
  54. 54. Windows Server 2012 R2 • New ADFS capabilities together • Closely connected to the Web Application Proxy (WAP) • WAP allows for preauthentication with ADFS • Does not use IIS anymore. • Meant to replace/complement UAG & ADFS Proxy in the future
  55. 55. Demo Windows Server 2012 R2 - ADFS & Web Application Proxy
  56. 56. Key Takeaways • Known the basics of claims based AuthN • Be aware: - custom claims providers - multiple web apps or HNSC - cookies - user profile service • ADFS does not only mean Active Directory • Not only for partner to partner federation scenario’s
  57. 57. Q&A #spsuk @thomasvochten