Configure ADFS 3.0 with Sharepoint 2013

First you need to install ADFS server 3.0, if don’t know how, follow this tutorial http://blogit.create.pt/miguelmoreno/2014/11/14/installing-adfs-on-windows-server-2012-r2/

 

Configure relay party on ADFS

Start server manager, click on tools, AD FS Management.

On the right pane select Add Relying Party Trust.

11

 

Have the welcome to the wizard, click start button.

12

 

Select the option “Enter data about the relying party manually”

13

 

Specify Display Name

14

 

Use AD FS Profile

15

 

Click next

16

 

Select the option “Enable support for WS-Federation Passive Protocol” and insert the URL of the SharePoint Trust Service (ex. https://<sharepoint server FQDN>/_trust/)

17

 

Add the uniform resource name (URN) (is the historical name for a uniform resource identifier (URI)) of your SharePoint in the standard form urn:sharepoint:<Any string>.
In my case I have used urn:sharepoint:portal

18

 

Configure Multi-Factor Authentication Now – select “I do not want to configure …”

19

 

Select “Permit all users to access this relying party”

22

 

Review of the configuration, and click next.

23

 

25


 

Create the claim rule

After the configuration wizard the system automatically open the rule control windows and you need add some rule (Issuance Transform Rules) to complete the Claims token. SharePoint use EmailAddress for authentication so you add a rule to send User Principal Name as Email Address.

26

 

Create this rules:

Rule template: Pass Through or Filter an Incoming Claim

27

 

Claim rule name: Pass Through UPN
Incoming claim type: UPN
Pass through all claim values

28

 

I am not going to put images to all roles, but create more three.

Rule template: Pass Through or Filter an Incoming Claim
Calim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Rule template: Transform an incoming Claim
Claim rule name: Transform Windows Account Name to Name
Incoming claim type: Windows account name
Outgoing claim type: Name (or *Name)
Pass through all claim values

Rule template: Send LDAP Attributes as Claims
Calim rule name: Send UPN as Email Address
Attribute store: Select “Active Directory”
“Mapping of LDAP attributes to outgoing claim types” select: LDAP Attribute: User-Principal-Name
Under Outgoing Claim Type: E-Mail Address

 

In AD FS Management, also export  the token-signing certificate. In the left pane click Services -> Certificates, right click in token-signing certificate and click view certificate.

29

 

Need to install certificate on this server and on sharepoint server.

33

Now you are going to export the certificate. Select details tab and click on Copy to File.

30

 

Choose the format “DER encoded binary X.509 (.CER)

31

 

Specify the name of the file.

 

32

 

Configure SharePoint 2013

 

First step is import the token-signing certificate on the SharePoint server. For do this you need to use the “SharePoint management shell”. First copy the exported certificate to the SharePoint server.
After that use the command:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“<FullPathOfTheTokenSignCertFile>”)
New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert
After that register the claim provider in SharePoint:

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming
$realm = “urn:sharepoint:portal”
$signInURL = “https://<ADFS Server>/adfs/ls”
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS30” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings

$emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierClaim

$emailClaimmap.InputClaimType

 

Configure web application to use ADFS

 

Go to Central Administration -> Manage web applications and select the desired web application from the list. Select the Authentication Providers button and the desired SharePoint zone. Select the Trusted Identity Provider and the newly registered.

35

 

Enter in your web application, login with Windows authentication. Go to Site Setting -> Site Collections Administrators and add you domain email.

36

 

This post was based on some tutorials i have read

– http://lorson.wordpress.com/2014/08/15/configure-adfs-3-0-with-sharepoint-2013-for-claim-authentication/

– http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

– http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

Installing ADFS On Windows Server 2012 R2

Start server manager, click on manage, add roles and features, select Active Directory Federation Services, then click next.

 1

 

Click next until we reach confirmation screen to install ADFS. Click install.

2

 

When installation is complete, you can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.

3

 

Select option “Create the first federation server in a federation server farm” and click next.

(If get this error, you first need to join to a domain)

4

 

Provide your domain admin credentials.

5

 

Select the SSL certificate that you will use (if you don’t have one create a self signed certificate).

Provide your chosen display name, and click next.

6

 

It is possible to use a Group Managed Service Accounts. In this case a standard service account was used.

7

Select the database configuration

8

Review your selections

9

If the ADFS pre-requisite checks are done, click on configure and until is all done.

10

Now you have to configure the federation service


Verify Federation Service Metadata

Open your browser and navigate to your ADFS server’s federation metadata URL (ex. https://<your adfs server>/federationmetadata/2007-06/federationmetadata.xml).

 

Verify ADFS Sign-In Page

Browse to the ADFS sign-in page and test that you are able to authenticate. (ex. https://<your adfs server>/adfs/ls/idpinitiatedsignon.htm).

11