Introduction
SharePoint supports the SAML Profile for single sign-on out of the box. This post provides guidelines to configure Windows Azure AD service as Identity Provider.
Use the following steps to create a new Azure AD tenant and an associated namespace. In this example, we use the namespace “saml11acs2”. This can be done using Windows Azure GUI or Powershell.
Using Azure GUI;
In the Azure Management Portal, click Active Directory, and then create a new Azure AD tenant.
Click Access Control Namespaces, and create a new namespace.
-
Using Powershell;
Open Windows PowerShell. Use the Microsoft Online Services Module for Windows PowerShell, which is a prerequisite for installing the Azure for Windows PowerShell cmdlets.
From the Windows PowerShell command prompt, type the command: Connect-Msolservice, and then type your credentials.
From a Windows PowerShell command prompt, type the following commands:
Import-Module MSOnlineExtended –Force
New-MsolServicePrincipal -ServicePrincipalNames @("https:// saml11acs2.accesscontrol.windows.net/") -DisplayName "SAML ACS Namespace" -Addresses $replyUrl
Use the following steps to add a new WS-Federation identity provider to the saml11acs2 namespace.
From the Azure management portal, go to Active Directory > Access Control Namespaces, click Create a new instance, and then click Manage.
From the Azure Access Control portal, click Identity Providers > Add, as illustrated in the following figure.
Click WS-Federation identity provider, as illustrated in the following figure, and then click Next.
Fill out the display name and logon link text, and then click Save. For the WS-Federation metadata URL, type https://accounts.accesscontrol.windows.net/saml11acs2.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml. The following figure illustrates the setting.
Use the following steps to add Web Framework Portal as a relying party application.
From the Azure Access Control portal, click Relying party applications, and then click Add, as illustrated in the following figure.
Configure End Points
From the Access Control services portal, add a relying party, as illustrated in the following figure.
Use the following steps to create a new rule group to control claims-based authentication.
In the left pane, click Rule groups, and then click Add.
Type a name for the rule group, click Save, and then click Generate. For the purposes of this article, we are using Default Rule Group for SharePoint, as illustrated in the following figure.
Click the rule group that you want to change, and then click the claim rule that you want to change. For the purposes of this article, we add a claim rule to the group to pass name as emailaddress, as illustrated by the following figure.
Delete the existing claim rule named name
Use the following steps to configure the X.509 certificate to use for token signing.
In the Access Control Service pane, under Development, click Application integration.
In Endpoint Reference, locate the Federation.xml that is associated with your Azure tenant, and then copy the location in the address bar of a browser.
In the Federation.xml file, locate the RoleDescriptor section, and copy the information from the <X509Certificate> element, as illustrated in the following figure.
From the root of drive C:\, create a folder named Certificates.
Save the X509Certificate information to the folder C:\Certificates with the file name, AcsTokenSigning.cer.
Define the certificate used to validate the signed WSFed assertion
Open "SharePoint Management Shell" on SharePoint server and execute the lines codes to create a claim mapping:
$x=New-SPTrustedIdentityTokenIssuer -Name "WAAD" -Description "Azure Identity Provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $email -SignInUrl "https://saml11acs2.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aacs2" –IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Configure the site to use Trusted Identity Provider
Open "SharePoint 2013 Central Administration" on SharePoint server and create new Web Application with SSL Enabled or update existing Web Application.
Navigate - "Application Management"
Click - "Manage web applications"
Select a SharePoint Web Application w/ SSL Enabled. Note: "SharePoint Central Administrator" can NOT be used with SSO.
Click "Authentication Providers" from the top menu options.
Click "Default - Claims Based Authentication"
Click "Save"
Define the Initial Users
Select the web application for which Windows Azure IdP is configured
Select "User Policy" from the menu ribbon to bring up the "Policy for Web Application" dialog box.
Select "Add Users" in the menu ribbon.
Select the appropriate zone or select the default "All Zones" and select the "Next" button.
From the "Add Users" dialog, select the people picker book in the "Choose Users" section.
Select the Trusted Identity Provider in the left frame and enter a group or account name to grant access in the "Find" text box at the top.
Click Ok
Select the Permissions intended for the user or group.
Select the "Finish" button to go back to the "Policy for Web Application" Dialog.
Select the "OK" button to close.
Login to SharePoint
Use the following steps to verify that the new identity provider is working by ensuring that the new authentication provider appears on the sign-in prompt.
Click on the Identity provider that is mapped to the portal
Login with WAAD credentials