Home > Uncategorized > Configure SharePoint 2010 with Active Directory Federation Services (ADFS)

Configure SharePoint 2010 with Active Directory Federation Services (ADFS)

In my SharePoint environment I had a requirement to configure SharePoint 2010 to be able to federate with other external partners with the use of Active Directory Federation Services (ADFS).  For those that are not familiar with ADFS it allows for federation between multiple customers / partners that eliminates the hassle of having to continuously provide credentials when trying to access files / locations that are shared.  It passes a claims token that is trusted on both sides that provides the access, which eliminates the need for Windows Authentication or PKI CAC Auth.

In this blog I will explain how to set up and configure SharePoint 2010 to work with ADFS.  I will not explain how to configure the ADFS Server, and assume that the ADFS server has already been configured and ready for use.

SharePoint 2010 Configuration

  1. First you will need to obtain a CER copy of the Root Certificate(s) from the hosted Central Administration Server.
    1. Log onto the Central Administration Server.
    2. Bring up the Certificate Store | Click Start | Run
    3. Type MMC and Enter
    4. Press Ctrl + M
    5. Select Certificate | Add | Computer Account | Next
    6. Select Local Computer | Finish
    7. Click Ok
    8. Expand Certificates | Expand Trusted Root Certificate Authority
    9. Select the Root CA.  (In my case I selected NSS Root CA 1)
    10. Right click the Root CA and choose All Tasks | Export
    11. Click Next
    12. Select No, do not export the private key | Next
    13. Select the format you want to use | DER Encoded Binary X.509 (.CER) | Next
    14. Choose a file name and location to export the certificate to | Next | Finish
  2. Import Root Certificate into SharePoint 2010 Certificate Store
    1. On the SharePoint Central Administration Server open up SharePoint 2010 Management Shell
    2. Type the following command and press enter:
      1. $rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“<Path to certificate file”>)
    3. Add the root certificate to SharePoint Trusted Root Authority Store, type the following command:
      1. New-SPTrustedRootAuthority – Name “<Identifying Name>” -Certificate $rootCert.  (in my case I used “NSS Root CA 1″ as the <Identifying Name>”
  3. Create SharePoint Trusted Identity Token Issuer.
    *This step is important as it tells ADFS what claims will be passed into SharePoint.  You would likely have discussions with your external partners on what claims they would like to pass through with AFDS.”  Once there is an agreement between both or all parties then you can proceed with creating the mappings*
    **In my case we agreed to pass E-Mail, Role, UPN, and Name as claims to SharePoint**

    1. Type the following to add E-Mail, Role, UPN, and Name as accepted claims to SharePoint:
      1. $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “role” -SameAsIncoming
      2. $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
      3. $map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
        **Since Name is a reserved word in SharePoint you have to map “Name” to a unique claim** 
      4. $map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” -IncomingClaimTypeDisplayName “Name” -LocalClaimType “http://schemas.<mappedclaimtype>/identity/claims/name
    2. Locate the token signed certificate that is used in ADFS 3.0
      1.   Log into ADFS Server | Open ADFS 3.0 Management | Select Certificates Under Services | Export Certificate
      2.  Copy exported ADFS Signed Certificate to a location on the SharePoint 2010 Central Administration Server
      3.  Type the following to add the ADFS Signed Certificate
        1. $tokenCert = New-Object System.Security.Cryptography.X509Certificatesw.X509Certificate2(“<location of token signed certificate”)
    3. Create SharePoint Trusted Claim Issuer:
      1. Type the following:
        1. New-SPTrustedIdentityTokenIssuer -Name “NAME OF ADFS TOKEN ISSUER” -Description “ADFS 3.0” -Realm “urn:eusharepoint:<name of portal>” -SignInUrl “https://<URL OF FEDERATION LOGIN SCREEN/adfs/ls>” -ImportTrustCertificate $tokenCert -ClaimMappings $map1, $map2, $map3, $map4 -IdentifierClaim $map4.InputClaimType
  4. Update SharePoint Web Application to use Trusted Claims Identifier
    1. Browse to Central Administration | Application Management | Select Web Application | Select Authentication Providers from Ribbon | Select Default Zone
    2. Scroll down to the “Claims Authentication Types” section.  The option to now select the Trusted Identity Provider is available.
      1. Select Trusted Identify Provider checkbox | Select “<NAME OF ADFS TOKEN ISSUER>” checkbox
      2. Click Save

After completing the 4 steps above the configuration for ADFS federation is complete.

Now when you browse to your portal site you will now see the Forms Based Authentication option.  Here you will have the option to choose either Windows Authentication or ADFS Authentication from a dropdown.  If ADFS Authentication is selected the user will be redirected to the ADFS Federation Login Screen where they will authenticate to their domain and then be redirected back to the portal after receiving their claim token.  If the federated user has the correct claim token permission granted in SharePoint they will have access.  If they do not they will be denied access.

Rollback Steps

If you want to remove the ADFS Federation with SharePoint.

  1. Browse to Central Administration | Application Management | Select Web Application | Select Authentication Providers from Ribbon | Select Default Zone
  2. Scroll down to the “Claims Authentication Types” section.
    1. Deselect “<NAME OF ADFS TOKEN ISSUER>” checkbox | Deselect Trusted Identify Provider checkox
    2. Click Save
  3. Log into Central Administration Server
    1. Bring up SharePoint 2010 Management Shell
      1. Type: Remove-SPTrustedIdentityTokenIssuer “<NAME OF ADFS TOKEN ISSUER>”
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: