First you need to install ADFS server 3.0, if don’t know how, follow this tutorial http://blogit.create.pt/miguelmoreno/2014/11/14/installing-adfs-on-windows-server-2012-r2/

 

Configure relay party on ADFS

Start server manager, click on tools, AD FS Management.

On the right pane select Add Relying Party Trust.

11

 

Have the welcome to the wizard, click start button.

12

 

Select the option “Enter data about the relying party manually”

13

 

Specify Display Name

14

 

Use AD FS Profile

15

 

Click next

16

 

Select the option “Enable support for WS-Federation Passive Protocol” and insert the URL of the SharePoint Trust Service (ex. https://<sharepoint server FQDN>/_trust/)

17

 

Add the uniform resource name (URN) (is the historical name for a uniform resource identifier (URI)) of your SharePoint in the standard form urn:sharepoint:<Any string>.
In my case I have used urn:sharepoint:portal

18

 

Configure Multi-Factor Authentication Now – select “I do not want to configure …”

19

 

Select “Permit all users to access this relying party”

22

 

Review of the configuration, and click next.

23

 

25


 

Create the claim rule

After the configuration wizard the system automatically open the rule control windows and you need add some rule (Issuance Transform Rules) to complete the Claims token. SharePoint use EmailAddress for authentication so you add a rule to send User Principal Name as Email Address.

26

 

Create this rules:

Rule template: Pass Through or Filter an Incoming Claim

27

 

Claim rule name: Pass Through UPN
Incoming claim type: UPN
Pass through all claim values

28

 

I am not going to put images to all roles, but create more three.

Rule template: Pass Through or Filter an Incoming Claim
Calim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Rule template: Transform an incoming Claim
Claim rule name: Transform Windows Account Name to Name
Incoming claim type: Windows account name
Outgoing claim type: Name (or *Name)
Pass through all claim values

Rule template: Send LDAP Attributes as Claims
Calim rule name: Send UPN as Email Address
Attribute store: Select “Active Directory”
“Mapping of LDAP attributes to outgoing claim types” select: LDAP Attribute: User-Principal-Name
Under Outgoing Claim Type: E-Mail Address

 

In AD FS Management, also export  the token-signing certificate. In the left pane click Services -> Certificates, right click in token-signing certificate and click view certificate.

29

 

Need to install certificate on this server and on sharepoint server.

33

Now you are going to export the certificate. Select details tab and click on Copy to File.

30

 

Choose the format “DER encoded binary X.509 (.CER)

31

 

Specify the name of the file.

 

32

 

Configure SharePoint 2013

 

First step is import the token-signing certificate on the SharePoint server. For do this you need to use the “SharePoint management shell”. First copy the exported certificate to the SharePoint server.
After that use the command:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“<FullPathOfTheTokenSignCertFile>”)
New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert
After that register the claim provider in SharePoint:

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming
$realm = “urn:sharepoint:portal”
$signInURL = “https://<ADFS Server>/adfs/ls”
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS30” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings

$emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierClaim

$emailClaimmap.InputClaimType

 

Configure web application to use ADFS

 

Go to Central Administration -> Manage web applications and select the desired web application from the list. Select the Authentication Providers button and the desired SharePoint zone. Select the Trusted Identity Provider and the newly registered.

35

 

Enter in your web application, login with Windows authentication. Go to Site Setting -> Site Collections Administrators and add you domain email.

36

 

This post was based on some tutorials i have read

– http://lorson.wordpress.com/2014/08/15/configure-adfs-3-0-with-sharepoint-2013-for-claim-authentication/

– http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

– http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

3 COMMENTS

  1. This post is very helpfull and simple to understand. Thank you so much Miguel 🙂

    Keep the good work!

  2. When I try and login using ADFS it tells me that the site has not been shared. When I login with windows authentication and go to site collection administrators to add my adfs email account I see my name listed 5 times. I’m assuming the one that has my name spelled out in full with my title is the windows account and then I see my user name (dprice) listed four time, if I hover over each of them I can see the description such as ADFS30 Role, ADFS30 SID, ADFS30 EmailAddress and ADFS30 UPN. I have actually tried adding each of these one at a time and tried logging in and I have added all of them and tried to log in, but no luck. One thing I have noticed is that when I do choose my user name dprice the one that is associated with ADFS EmailAddress, it only puts my user name in the box and not my email address like your image shows. Does anyone have any ideas on what is wrong.

    Thank you Don

  3. Thanks Miguel for the details on how to set it up.
    We are running into issues with the values being sent from ADFS 3.0 and the values which are getting stored in SharePoint.
    For some reason SharePoint is only picking same email address and putting it under all other attributes like – displayname, Full name, etc.
    Any idea how we can correct it.

LEAVE A REPLY

Please enter your comment!
Please enter your name here