Export this ADFS token signing certificate to all SharePoint server(s)
ADFS Token signing certificate must be exported from ADFS server and used while creating trust in SharePoint Server. Here is how:
a.From ADFS console, Expand "Certificates" folder, Right Click on your ADFS token signing
b.certificate and choose "View Certificate".
b.certificate and choose "View Certificate".
c.Under the "Details" tab, Click on "Copy to file" button.
d.For Export Private key section, choose "No, do not export the private key"
e.Click "Next". Choose export file format as "DER Encoded binary x.509 (.CER)"
f.This will export the certificate from ADFS.
Configure SharePoint 2013 to Trust ADFS
Let’s create a trusted identity token issuer pointing to ADFS as the claims provider, using PowerShell
#Register the Token Signing certificate from ADFS Server to establish Trust between SharePoint and ADFS server
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("F:\Raja\externalADFS.cer")
#Map the claims attributes
$emailMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
$RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$realm="urn:portal.world.com"
#Sign-in URL will be ADFS Server instance
$signInURL="https://external.world.com/adfs/ls/"
#Create new trusted identity token issuer
$ap1 = New-SPTrustedIdentityTokenIssuer -Name “ISS Portal Claims” -Description “ISS with Claims Authentication using ADFS 3.0 on Sharepoint 2013” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $upnClaimMap,$emailMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $emailmap.InputClaimType
IISReset
The first two lines of the above code, registers the certificate in SharePoint certificate store. Moreover, You may have to do this for Root Certificate Authority as well. You can see them under "Manage Trusts" link in security section of central administration.
Realm - is a identifier which helps ADFS to load respective configuration for a particular profile. which uses the convention of: urn:yourwebapp:yourdomain (can be anything, technically. It just uniquely identifies between multiple web applications)
IdentifierClaim - is the unique ID that identifies users in SharePoint. So,when users logged in via ADFS, they'll be identified by Email id in this case. Also, when granting access to SharePoint sites from ADFS, we'll have to use this identifier as user names. Make sure that the mapped claims exists in the source. E.g. If E-mail is mapped as Identifierclaim, then It must be exists in AD. In other worlds, E-mail field must contain a value, shouldn't be null!
SharePoint 2013 ADFS with multiple web applications
So, You have established trusted identity provider for your primary web applications, and all other web apps as well, say for e.g. My sites. Now, You'll have to add them in your trusted identity provider with this PowerShell code:
$ap = Get-SPTrustedIdentityTokenIssuer "ADFS Portal Claims"
$uri = new-object System.Uri("https://portal.world.com")
$ap.ProviderRealms.Add($uri, "urn:portal.world.com")
$ap.Update()
Register ADFS to newly Creating Extended Web Applications
$ap = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS Portal Claims"
Write-host "Creating Extended Extranet WebApplication" -foregroundcolor "magenta"
Get-SPWebApplication -Identity http://test.portal.world.local | New-SPWebApplicationExtension -Name "test.portal.issworld.com - https" -SecureSocketsLayer -Path "C:\inetpub\wwwroot\wss\VirtualDirectories\test.portal.world.com443" -HostHeader "test.portal.world.com" -Zone "Intranet" -URL "https://test.portal.world.com" -Port 443 -SignInRedirectURL "/_trust/default.aspx" -AuthenticationProvider $ap
Write-host "Extended Extranet WebApplication Created" -foregroundcolor "magenta"
No comments:
Post a Comment