hoozin
  • Overview
  • Setup
    • Architecture
    • Technical Requirements
    • Planning
    • Before You Start
    • Deploy the Infrastructure
    • Create a New Instance
    • AD FS SharePoint Configuration
  • Directory sync
    • Active Directory User Synchronization
    • Groups Synchronization
    • User Profile Schema
  • Branding
    • Deploy Branding Package
  • hoozin UI
    • Social
    • Communities
    • Apps
    • Doc Management
Powered by GitBook
On this page
  • Prerequisites
  • SharePoint SAML support
  • AD FS settings
  • SharePoint configuration
  • Hoozin configuration
  • Troubleshooting
  • AD FS token renewal
  • Identity claim information
  1. Setup

AD FS SharePoint Configuration

PreviousCreate a New InstanceNextActive Directory User Synchronization

Last updated 6 years ago

Prerequisites

SharePoint SAML support

SAML 2.0 is not supported by SharePoint 2013 or 2016, which support SAML 1.0/1.1 only. See the Microsoft TechNet article for more information.

AD FS settings

Configure the relying party in AD FS, which consists of the following elements:

  • URL or endpoint: The endpoint must follow the WS-Federation Passive protocol.

  • Relying party trust identifier: This can be in the format urn:<instancename>:<env>, which will be used later in the SharePoint configuration.

  • Claim rules: These rules may vary depending on customer requirements and environments. Generally, UPN and email are two common attributes that are passed in the claims.

  • Token-signing certificate: There are two ways to extract the token-signing certificate:

    • Extract the certificate from the federation metadata: From the federation metadata URL, copy the data located between <X509Data><X509Certificate> </X509Certificate></X509Data> and paste it in a text editor, then save the file with the .cer extension. (Example: ADFSToken.certo SharePoint Server.)

    • Export the certificate from the AD FS management console: Choose Services > Certificates > Token-Signing, then save the certificate as a DER encoded binary (.cer) and copy it to SharePoint Server.

SharePoint configuration

To configure AD FS, run the PowerShell snippet below on SharePoint Server:

#Import the ADFS Token to SharePoint Trust
$cert = "c:\adfstoken.cer" 
$adfscert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($Cert)
New-SPTrustedRootAuthority -Name "ADFS Token Signing Cert" -Certificate $adfscert
#Once the above step is complete, You must see the certificate in Central Administration > Security > Manage Trust > “ADFS Token Signing Cert”
#The realm is the same value you have used in ADFS setting for Relying Party Trust Identifier. The below is an example
$realm="urn:adfshoozin:prod"
#In the example below, Email and UPN claims have been used. The ClaimType can be provided by ADFS administrator or can be extracted from Claim Rules
$emailClaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -sameasincoming
$upnclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming
#ADFS sign in URL shall be provided by ADFS administrator
$signinURL="https://adfs.mycompany.com/adfs/ls/"
$issuer = New-SPTrustedIdentityTokenIssuer -name "ADFS Token Issuer" -Description "ADFS Identity Provider" -Realm $realm -ImportTrustCertificate $adfscert -signInURL $signinURL -ClaimsMappings $emailClaim,$upnclaim -IdentifierClaim $emailClaim.InputClaimType
#In the above code snippet for configuring Trusted Identity Provider, IdentifierClaim is set to use Email i.e., Email is being used as a unique identifier that represents a specific user. This may vary depending on the customer requirement/environment.

Once these steps have been successfully completed, go to the SharePoint Central Administration menu and click Application Management. Then, under Web Applications, choose Manage web applications and select the hoozin Web Application that requires AD FS configuration.

Click Authentication Providers and choose Default, then set the following options:

  1. Uncheck Enable Windows Authentication.

  2. Uncheck Enable Forms Based Authentication (FBA).

  3. Check Trusted Identity Provider, then check ADFS Token Issuer. (Note that

    ADFS Token Issuer is the name specified when creating the Trusted Identity Provider.)

Save and close, then perform an iisreset.

Hoozin configuration

Hoozin AD LDS needs to be synchronized with the Enterprise accounts. These accounts can be synchronized from the following sources:

  • Active Directory

  • CSV

  • SharePoint List

  • XML

Source

Destination

mail

userPrincipalName

In some cases, the mail attribute is the same as userPrincipalName in Enterprise AD, so the source and destination can be set as userPrincipalName.

Troubleshooting

AD FS token renewal

#Select the appropriate Token Signing Certificate from List
Get-SPTrustedRootAuthority | FL –Property Name

#Remove the Old Signing Certificate, Ex: ADFS Token Signing Certificate”
Remove-SPTrustedRootAuthority "ADFS Token Signing Certificate"

#Update the New certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\NewADFSToken.cer")
$trust = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS Token Issuer"
$trust.SigningCertificate = $cert
$trust.Update()
New-SPTrustedRootAuthority -Name "ADFS Token Signing Certificate" -Certificate $cert

#Restart the web application
Iisreset

Identity claim information

To get identity claim information, run the following SharePoint PowerShell commands:

$spidtkn = Get-SPTrustedIdentityTokenIssuer
$spidtkn.IdentityClaimTypeInformation
#Refer DisplayName attribute to know the IdentityClaim

Follow the instructions in the section. In the directory synchronization settings the source attribute of the userPrincipalName destination is the Identifier Claim. In this AD FS–SharePoint configuration, the Identifier Claim is set to email, and the source and destination configuration is as follows:

Internet Explorer: Use Fiddler. See the Microsoft TechNet article.

Chrome: Use the .

Firefox: Use the .

You must have an AD FS token extracted and copied to SharePoint Server. Extract the token-signing certificate using one of the methods in the section above, then run the following SharePoint PowerShell commands to renew the certificate:

Does SharePoint 2016 support SAML 2.0
Active Directory User Synchronization
Mapping tab,
AD FS 2.0: How to Use Fiddler Web Debugger to Analyze a WS-Federation Passive Sign-In
SAML-tracer extension
SAML-tracer add-on
AD FS settings