SharePoint 2013 with ADFS

#SPSSTHLM02Thomas VochtenJanuary 25th, 2014

SharePoint Saturday

Stockholm

Thanks to our sponsors!

SharePint

Silver

Bronze

Raffle

Platinum

Gold

About me Thomas VochtenSharePoint Server MVP

Involuntary DBA

Platform Architect

@thomasvochten

http://thomasvochten.com

Agenda Claims based identity

ADFS and SharePoint together

Setting up & Configuring

Challenges

Claims based identity in a nutshell

Claims based identity

Claims based identity

Claims based identity

• Not a new concept• Claims provide abstraction• Authentication versus Authorization

Authorization decisions are based on claims

Some claims examples• Your name• Your email address• Your social security number• Your memberships• Your user account• Your booking reference• Your employment status• …

Authorization based on tokens

Classic Mode Authentication Claims Mode Authentication

Windows Token Claims Token

Default in SharePoint 2013

Default in SharePoint 2007, 2010

Claims Token

Claim

Claim

Claim

Claim

Signature

Name

Age

Location

Token

Vocabulary• Claim• Security Token• Identity Provider (IdP)• Relying Party (RP)• Security Token Service (STS)• Realm

Claims in SharePoint 2013

3 types of claim providers

• Windows• Trusted Provider (SAML)• Forms Based Authn

Multiple Authn providers possible in the same zoneClassic mode only via PowerShell

ADF

S

Identity Normalization

NT TokenWindows Identity

ASP.Net (FBA)LDAP, Custom

…

SAML TokenLiveID, ADFS,

Others

Anonymous User

SAML TokenClaims Based

Identity

SPUser

Windows Claims• NTLM or Kerberos are not dead• Single sign on in a domain environment• Used by SharePoint internally• Claims to Windows Token Service (c2wts)

Trusted Provider Claims• SharePoint as relying party• Needs an external identity provider such as ADFS• Based on open standards (SAML, WS-*)• Login experience: browser redirects

Identity Provider (IP)

ActiveDirectory

Security Token Service (STS)

User / Subject /Principal Requests token for AppX

Issues Security Tokencrafted for Appx

Relying party (RP)/Resource provider

Issuer IP-STS

Trusts the Security Tokenfrom the issuer

The Security TokenContains claims about the user

For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values

Security Token “Authenticates” user to the application

ST

Signed by issuer

AppX

Authenticates user

© John Craddock

Use Cases• Cloud (what did you think)• Extranets• Mergers & acquisitions• Cross-forest authentication• Replacement for domain trusts• Advanced identity scenario’s

Federation

Single Sign On

Process token

Home realm discovery

Redirected to partner STS requesting ST for partner user

Return ST for consumption by your STS

Return new ST

YourAD FS 2.0 STS

YourClaims-aware app

ActiveDirectory

Partneruser

PartnerAD FS 2.0 STS & IP

Redirected to your STS

Authenticate

Send Token

Return cookiesand page

Browse app

Not authenticated

Redirect to your STS

ST

ST

ST

ST

App trusts STS Your STStrusts your

partner’s STS

© John Craddock

ADFS and SharePoint

Solutions on the market• CA SiteMinder• Shibolleth• Oracle Access Manager• IBM Tivoli Access Manager• Active Directory Federation Services• Custom solutions using WIF• …

Why ADFS ?• Natural candidate for SharePoint• Supports the necessary standards• Integration with Active Directory• Often used as a go-between• Powerful capabilities• Free with Windows Server license

ADFS Wiki on TechNet: http://thvo.me/adfswiki

Simplified Logon Process with ADFS User connects to SharePoint SharePoint redirects to ADFS ADFS checks username and password ADFS creates a token, signs it and puts it in a cookie ADFS redirects to SharePoint with that cookie SharePoint STS validates & extracts the claims from the token SharePoint STS creates another cookie for internal use

(FedAuth) SharePoint performs authorization User connects to the web application

Installing ADFS

Windows Server 2008 R2 ADFS 2.0 (free download)

Windows Server 2012 ADFS 2.1 (included)

Windows Server 2012 R2 ADFS 3.0 (included)

Configuration is stored in

• Windows Internal Database (standalone)• SQL Server (farm)

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

Configuring ADFS

• Run the configuration wizard

• Create or join a federation service

• Specify a federation service name (URL)

Prepare ADFS for SharePoint• Export the token signing certificate• Configure SharePoint as a relying party• Configure claim rules

DemoConfigure ADFS for SharePoint

Prepare SharePoint for ADFS• Import the token signing certificate• Create a Trusted Security Token Issuer pointing

to ADFS• Configure the web application to use ADFS• Configure administrator permissions

Create the Trusted Security Token Issuer

# Import the ADFS token signing certificate to SharePoint

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\TokenSigning.cer")New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert

# Define the claims type mappings

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

Create the Trusted Security Token Issuer

# Create the trusted identity provider

$realm = "urn:sharepoint:spssthlm"

$signInURL = "https://adfs01.lab.thvo.net/adfs/ls"

$issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType

Modify your web application• Change the web application authentication

provider

DemoConfigure SharePoint for ADFS

Challenges

People Picker• Most significant functional difference• Will resolve any claim by default

Custom Claims Provider

Implement a custom claims

provider

Custom Claims Provider• Augmentation• Name resolution

• Deployed as a full-trust solution file• Implements methods for searching in directories• Dependent on the “Microsoft SharePoint

Foundation Web Application”

https://ldapcp.codeplex.com/

Custom Claims Provider

Claims Encoding

i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten

© Wictor Wilén

Multiple web applications• Tying multiple web applications to the same

Security Token Issuer• By default, only one realm is configured• Make sure you create a relying party in ADFS too

$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"$uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/")$ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlm-mysites")$ap.Update()

Host Named Site Collections

Treated like a web application in ADFS:Create a relying party for every HNSC !

$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"$uri = new-object System.Uri("https://www.spssthlm.se/_trust/")$ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlmpublic")$ap.Update()

Cross web application authentication• The FedAuth cookie contains only a single

domain• Cross-webapp requests are not authenticated

automatically• You have to logon to both webapps first• OOB Solution for user profile pictures:

$wa = Get-SPWebApplication https://spssthlm.lab.thvo.net$wa.CrossDomainPhotosEnabled = $true$wa.Update()

Search• Search needs Windows Authentication to crawl• Configure multiple authentication methods

(beware) or• Set up multiple zones

Cookies• Session cookies vs persistent cookies• Don’t forget the Office client• When do sessions expire? • Get-SPSecurityTokenServiceConfig

Certificates• Import the signing certificate root into

SharePoint too if needed• Import the SharePoint Root Authority certificate

into the trusted issuers on the SharePoint box

SharePoint Hosted Apps• SharePoint apps will not work for the scenario

where SharePoint is using SAML authentication and the application itself is also hosted in SharePoint.  However it WILL work if the SharePoint site is using SAML authentication and the application is hosted in Azure or provider-hosted

User Profile Service• Specify the ADFS server when configuring the

import connection• No matching between logged on user & user in

profile service• Check the “Claim User Identifier” in user profile

properties

Publishing to the internet• Federation service URL must be identical on the

intranet / internet• Use Split DNS to achieve this goal• Publish ADFS directly or via an ADFS Proxy• UAG 2010 can be a ADFS proxy too

Federation• A chain of trusted/trusting identity providers• Configure relying parties• Configure claims provider trusts• You probably want to play around with custom

claim rules here

Other tips• Choice of the unique identity claim is very

important• Home realm discovery

• Always use SSL, it doesn’t work without it• Most backend systems don’t understand SAML

claims

Useful tools• ULSViewer• Fiddler

DemoCommon issues an their solutions

Key Takeaways• Known the basics of claims based AuthN• Be aware:

- custom claims providers- multiple web apps or HNSC- cookies- user profile service

• ADFS does not only mean Active Directory• Not only for partner to partner federation

scenario’s

Q & A#spssthlm #spssthlm02@thomasvochten

...and visit our sponsors who made this day possible!

Thank you!

Please rate this session...