SAML-based Claims Authentication For SharePoint Server 2013

This article describes how to configure claims authentication with SharePoint Server 2013. There are five steps to follow when setting up the SharePoint Server 2013 Preview SAML claims authentication. We will go with the same three-tier farm we discussed in my previous article.

Here we are taking the farm architecture containing the following Servers:

  • Domain(DC1): One computer running Windows Server 2008 R2 Enterprise Edition that is configured as an intranet domain controller
  • Database Server (SQL1): One intranet member server running Windows Server 2008 R2 Enterprise Edition that is configured as a SQL database server.
  • Application Server (APP1): One intranet member server running Windows Server 2008 R2 Enterprise Edition that is configured as the SharePoint Server 2013 Preview application server.
  • Web Frontend Server (WFE1): One intranet member server running Windows Server 2008 R2 Enterprise that is configured as the SharePoint front-end web server.
  • Client Machine: One member client computer running Windows 7 Enterprise.


 Server.jpg
 

  1. Install AD FS 2.0 on DC1.
  2. Configure AD FS with the web application as a relying party.
  3. Configure SharePoint Server 2013 Preview to trust AD FS as an identity provider.
  4. Configure the default web application to use claims-based authentication.
  5. Verify SAML-based claims authentication from CLIENT machine.

Install AD FS 2.0 on Domain Server

  1. Go to the Active Directory Federation Services 2.0 RTW web page, and then click Continue.
  2. On the Registration Suggested for This Download page, determine whether you want to register for this download.
  3. From the Proceed to download page, click Download next to RTW\W2K8R2\amd64\AdfsSetup.exe (the version for Windows Server 2008 R2, which the DC1 computer runs).
  4. When prompted with the File Download-Security Warning dialog box (Do you want to run or save this file?), click Run.
  5. When prompted with the File Download-Security Warning dialog box (Do you want to run this software?), click Run. The Active Directory Federation Services 2.0 Setup Wizard runs.
  6. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
  7. On the End-User License Agreement page, select I accept the terms of the License Agreement, and then click Next.
  8. On the Server Role page, click Federation server, and then click Next.
  9. On the Install Prerequisite Software page, click Next.
  10. On the Completed the AD FS 2.0 Setup Wizard page, click Finish. The AD FS 2.0 management console displays and runs the AD FS 2.0 Federation Server Configuration Wizard.
  11. On the Welcome to the AD FS 3.0 Federation Server Configuration Wizard page, click Create a new Federation Space, and then click Next.
  12. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and then click Next.
  13. On the Specify the Federation Service Name page, ensure that the certificate named DC1.corp.TeamSite.com is displayed, and then click Next.
  14. On the Ready to Apply Settings page, click Next.
  15. On the Configuration Results page, click Close.
  16. Close the AD FS 2.0 management console.

With this new configuration, AD FS is now installed on DC1 and you can use the AD FS management console (click Start, point to Administrative Tools, and then click AD FS 2.0 Management) to configure trusted relying parties, claims provider trusts.
 
Configure AD FS with the web application as a relying party

  1. Log on to DC1 with the User1 user account.
  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  3. In the navigation pane, expand corp.TeamSite.com, and then double-click Users.
  4. In the contents pane, double-click User1.
  5. On the General tab, type generic ID E-mail, and then click OK.

We can configure an AD FS relying party that corresponds to the default team site. The relying party entry defines how the AD FS server recognizes the relying party and issues claims to it.

To configure AD FS for a relying party

  1. Log on to DC1 with the User1 account.
  2. Click Start, point to Administrative Tools, and then click AD FS 2.0 Management.
  3. In the navigation pane, expand Trust Relationships, and then double-click the Relying Party Trusts folder.
  4. In the contents pane, click Add Relying Party Trust.
  5. This starts the Active Directory Federation Services (AD FS) 2.0 configuration wizard.
  6. On the Welcome to the Add Relying Party Trust Wizard page, click Start.
  7. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.
  8. On the Specify Display Name page, type APP1, and then click Next.
  9. On the Choose Profile page, click Active Directory Federation Services (AD FS) 2.0 Profile, and then click Next.
  10. On the Configure Certificate page, click Next.
  11. You skip this configuration because the connection between APP1 and DC1 for passing security tokens is already encrypted with SSL.
  12. On the Configure URL page, select Enable support for the WS-Federation Passive protocol.
  13. In WS-Federation Passive protocol URL, type https://Site URL/_trust/, and then click Next.
  14. On the Configure Identifiers page, type urn:sharepoint:TeamSite, click Add, and then click Next.
  15. Note that this will be the realm value when you configure the SharePoint farm for a new trusted security token issuer
  16. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.
  17. On the Ready to Add Trust page, click Next.
  18. On the Finish page, click Close.
  19. This opens the Rules Editor Management console. Use this console and the following procedure to configure the mapping of claims from AD FS to SharePoint Server 2013 Preview.

Configure claim rules

  1. In the Rules Editor Management console, on the Issuance Transform Rules tab, click Add Rule.
  2. On the Select Rule Template page, click Send LDAP Attributes as Claims, and then click Next.
  3. On the Configure Rule page, type Email, Role, and UPN in Claim rule name.
  4. In Attribute Store, click Active Directory.
  5. In the empty row in Mapping of LDAP attributes to outgoing claim types, for LDAP Attribute, click SAM-Account-Name.
  6. For Outgoing Claim Type, click E-Mail Address.
  7. In the new empty row, for LDAP Attribute, click Token Groups-Unqualified Names.
  8. For Outgoing Claim Type, click Role.
  9. In the new empty row, for LDAP Attribute, click User-Principal-Name.
  10. For Outgoing Claim Type, select UPN.
  11. Click Finish.
  12. Click Add Rule.
  13. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim, and then click Next.
  14. On the Configure Rule page, type PrimarySID in Claim rule name, click Primary SID in Incoming claim type, click Finish, and then click OK.

To export a token signing certificate

  1. In the navigation pane of the AD FS 2.0 console, expand Service, and then click Certificates.
  2. In the contents pane, in Token signing, right-click the certificate, and then click View Certificate.
  3. This displays the properties of the certificate.
  4. Click the Details tab, and then click Copy to File.
  5. This starts the Certificate Export Wizard.
  6. On the Welcome to the Certificate Export Wizard page, click Next.
  7. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.
  8. On the File to Export page, type D:\ADFS_Sign.cer, and then click Next.
  9. On the Completing the Certificate Export Wizard page, click Finish

Configure SharePoint Server 2013 Preview to trust AD FS as an identity provider

Here we can import the AD FS token signing certificate to the trusted root authority list that resides on APP1.

Import the AD FS token signing certificate

  1. Log on to APP1 with the User1 user account.
  2. Click Start, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.
  3. From the SharePoint 2013 Management Shell command prompt, issue the following commands:

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("\\dc1\c$\ADFS_Sign.cer")
    New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

In this procedure, you define claim mappings for identity, role, user principal name (UPN), and the Primary security ID (SID).

Identity and role claim mappings

  1. On APP1, from the SharePoint 2013 Management Shell command prompt, create an identity claim mapping by using the following command:

    $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
     
  2. Create the Primary SID claim mapping by using the following command:

    $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" -IncomingClaimTypeDisplayName "PrimarySID" â€"SameAsIncoming

Here we can add a new authentication provider named "ADFS for TeamSite." After you define this new authentication provider, you can select it when you configure a trusted identity provider for claims-based authentication for a new or existing SharePoint web application.
 
New authentication provider

From the SharePoint 2013 Management Shell command prompt, create a new authentication provider by using the following commands:

$realm = "urn:sharepoint:TeamSite"
$signInURL = "https://Site URL.com/adfs/ls"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS for TeamSite" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierClaim $emailClaimMap.InputClaimType

Change the default web application to use SAML claims-based authentication

Here we can change the default web application previously created for the three-tier farm to use claims authentication with the new ADFS for Team Site authentication provider.

Configure SAML claims-based authentication

  1. On APP1, click Start, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.
  2. In Central Administration, in the Application Management section, click Manage web applications.
  3. Click the SharePoint â€" 5555 web application.(your web application)
  4. In the Security group of the ribbon, click Authentication Providers.
  5. On Authentication Providers page, in the Zone column, click Default.
  6. On the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider.
  7. Click ADFS for Team Site, and then click Save.
  8. This configures both Windows and SAML claims-based authentication for this web application.
  9. Click Central Administration on the Quick Launch.


In this procedure, you configure the default web application created for the three-tier farm, named SharePoint â€" 5555, for SSL-based connections, which are required for protected communications with DC1, the AD FS server.

Enable SSL for the SharePoint - 5555 web application

  1. In Central Administration, in the System Settings section, click Configure alternate access mappings.
  2. On Alternate Access Mappings page, click Show all, and then click Change Alternate Access Mapping Collection.
  3. In the Select An Alternate Access Mapping Collection dialog box, in the Name column, click SharePoint - 5555, and then click Edit Public URLs.
  4. On Edit Public Zone URLs page, in the Intranet box, type https://Site URL, and then click Save.
  5. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  6. In the console tree, expand APP1, and then Sites.
  7. Right-click SharePoint-5555, and then click Edit Bindings.
  8. In Site Bindings, click Add.
  9. In Add Site Binding, click https in Type.
  10. In SSL certificate, click certificate, click OK, and then click Close.

Verify SAML-based claims authentication from CLIENT Machine

In this procedure, you use CLIENT1 to access the default Team Site using SAML-based claims authentication.

To access the default team site using SAML-based claims authentication:

  1. On CLIENT machine, click the Internet Explorer icon.
  2. In the Address bar, type https://web site URL , and then press ENTER.
  3. In the sign-in page, select ADFS for TeamSite in the select credentials list.

This is the proof that the default team site is now using both Windows and SAML-based claims authentication.