Tuesday, May 3, 2016

Using Windows azure active directory for sharepoint 2013 authentication


SharePoint supports the SAML Profile for single sign-on out of the box. This post provides guidelines to configure Windows Azure AD service as Identity Provider.

Create Azure AD tenant and namespace

Use the following steps to create a new Azure AD tenant and an associated namespace. In this example, we use the namespace “saml11acs2”. This can be done using Windows Azure GUI or Powershell.
Using Azure GUI;
  1. In the Azure Management Portal, click Active Directory, and then create a new Azure AD tenant.
  2. Click Access Control Namespaces, and create a new namespace.
  3. Click Manage on the bottom bar. This should open this location, https://saml11acs2.accesscontrol.windows.net/v2/mgmt/web.
Using Powershell;

  1. Open Windows PowerShell. Use the Microsoft Online Services Module for Windows PowerShell, which is a prerequisite for installing the Azure for Windows PowerShell cmdlets.
  2. From the Windows PowerShell command prompt, type the command: Connect-Msolservice, and then type your credentials.
  3. From a Windows PowerShell command prompt, type the following commands:
Import-Module MSOnlineExtended –Force

$replyUrl = New-MsolServicePrincipalAddresses -Address https://saml11acs2.accesscontrol.windows.net/

New-MsolServicePrincipal -ServicePrincipalNames @("https:// saml11acs2.accesscontrol.windows.net/") -DisplayName "SAML ACS Namespace" -Addresses $replyUrl

Add a WS-Federation identity provider to the namespace

Use the following steps to add a new WS-Federation identity provider to the saml11acs2 namespace.
  1. From the Azure management portal, go to Active Directory > Access Control Namespaces, click Create a new instance, and then click Manage.
  2. From the Azure Access Control portal, click Identity Providers > Add, as illustrated in the following figure.
Add or Manage Identity Providers

  1. Click WS-Federation identity provider, as illustrated in the following figure, and then click Next.
Add Identity Provider settings

  1. Fill out the display name and logon link text, and then click Save. For the WS-Federation metadata URL, type https://accounts.accesscontrol.windows.net/saml11acs2.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml. The following figure illustrates the setting.
     Identity Provider Settings

Add SharePoint as a relying party application

Use the following steps to add Web Framework Portal as a relying party application.
From the Azure Access Control portal, click Relying party applications, and then click Add, as illustrated in the following figure.
Relying Party Applications Settings

Authentication Providers Settings

Configure End Points

  1. From the Access Control services portal, add a relying party, as illustrated in the following figure.
Edit Relying Party Application Settings.

Create a rule group for claims-based authentication

Use the following steps to create a new rule group to control claims-based authentication.
  1. In the left pane, click Rule groups, and then click Add.
  2. Type a name for the rule group, click Save, and then click Generate. For the purposes of this article, we are using Default Rule Group for SharePoint, as illustrated in the following figure.
Edit Rule Group Settings

  1. Click the rule group that you want to change, and then click the claim rule that you want to change. For the purposes of this article, we add a claim rule to the group to pass name as emailaddress, as illustrated by the following figure.
Input Claim TypeSettings

  1. Delete the existing claim rule named name

Configure the X.509 certificate

Use the following steps to configure the X.509 certificate to use for token signing.
  1. In the Access Control Service pane, under Development, click Application integration.
  2. In Endpoint Reference, locate the Federation.xml that is associated with your Azure tenant, and then copy the location in the address bar of a browser.
  3. In the Federation.xml file, locate the RoleDescriptor section, and copy the information from the <X509Certificate> element, as illustrated in the following figure.
X509 Certificate element of Federation.xml file
  1. From the root of drive C:\, create a folder named Certificates.
  2. Save the X509Certificate information to the folder C:\Certificates with the file name, AcsTokenSigning.cer.

Define the certificate used to validate the signed WSFed assertion

Open "SharePoint Management Shell" on SharePoint server and execute the lines codes to create a claim mapping:
  • $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certificates\AcsTokenSigning.cer")

  • New-SPTrustedRootAuthority -Name "Azure Certificate" -Certificate $cert

  • $email=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

  • $realm = "urn:sharepoint:acs2"

  • $x=New-SPTrustedIdentityTokenIssuer -Name "WAAD" -Description "Azure Identity Provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $email -SignInUrl "https://saml11acs2.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aacs2" –IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Configure the site to use Trusted Identity Provider

Open "SharePoint 2013 Central Administration" on SharePoint server and create new Web Application with SSL Enabled or update existing Web Application.
  1. Navigate - "Application Management
  2. Click - "Manage web applications"
Manage Web Applications Settings
  1. Select a SharePoint Web Application w/ SSL Enabled. Note: "SharePoint Central Administrator" can NOT be used with SSO.
  2. Click "Authentication Providers" from the top menu options.
  3. Click "Default - Claims Based Authentication"
Authentication Providers Settings
Edit Authentication Settings

  1. Click "Save"

Define the Initial Users

  1. Select the web application for which Windows Azure IdP is configured

  1. Select "User Policy" from the menu ribbon to bring up the "Policy for Web Application" dialog box.
Policy for Web Application Settings.

  1. Select "Add Users" in the menu ribbon.

  1. Select the appropriate zone or select the default "All Zones" and select the "Next" button.

  1. From the "Add Users" dialog, select the people picker book in the "Choose Users" section.

  1. Select the Trusted Identity Provider in the left frame and enter a group or account name to grant access in the "Find" text box at the top.

  1. Click Ok
  2. Select the Permissions intended for the user or group.

  1. Select the "Finish" button to go back to the "Policy for Web Application" Dialog.

  1. Select the "OK" button to close.

Login to SharePoint

  1. Use the following steps to verify that the new identity provider is working by ensuring that the new authentication provider appears on the sign-in prompt.

New Identity Provider login
  1. Click on the Identity provider that is mapped to the portal
  2. Login with WAAD credentials

WAAD credentials sign in.

1 comment: