Configure SharePoint Web Application to use third party identity provider

To configure your web application to use 3rd party identity provider, it is very important that you get ALL the correct X.509 certificates that is issued by Third Party Identity Provider(TPIP). These certificates establish the trust between third party identity provider and SharePoint farm.

I will soon publish another blog that will provide end to end solution to develope and configure extranet sites to use third party STS for authentication. This will cover things such as creating custom claim provider, custom login and custom http module to read claims from token and giving user an access to sharepoint site etc.

Step 1 – Add a trust with Sharepoint farm by setting these certificates as root authority.

Run the following powershell command. Replace it with your data.

$cert = “C:\SomeCertificate1.cer”
$rootcert = Get-PfxCertificate $cert
New-SPTrustedRootAuthority “SomeCertificate1” -Certificate $rootcert | Out-Null

Repeat the same for all certificates. Alternatively, you can add these trusts also through Central Administration. Go to Security-> Manage Trust-> New.

 After trusts are added, you should see something like this –


Step 2 – Add the Identity Token issuer

This identity token issuer will be used as authentication provider by web application/s. To add it, run this powershell –

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“[C:\Certificates\ReplaceWithYourRootCer.cer]”)

From all the certificates issued by 3rd party issuer, there will be one Main(or root) certificate.  Specify that in the above command.

$map1 = New-SPClaimTypeMapping –IncomingClaimType “” -IncomingClaimTypeDisplayName “Email Address” -SameAsIncoming
$map2 = New-SPClaimTypeMapping –IncomingClaimType “” -IncomingClaimTypeDisplayName “First Name” -SameAsIncoming
$map3 = New-SPClaimTypeMapping –IncomingClaimType “” -IncomingClaimTypeDisplayName “Last Name” -SameAsIncoming
$map4 = New-SPClaimTypeMapping –IncomingClaimType “” -IncomingClaimTypeDisplayName “UserId” -LocalClaimType “

$realm = “http://spwebappurl/_trust/”   //This means all the requests coming from http://spwebappurl will be trusted by 3rd party provider

$signinurl = “https://thirdpartyissuer/LoginIC/Login”  // This is the url of  TPIP’s login page.
$ap = New-SPTrustedIdentityTokenIssuer -Name “NameOfTokenIssuer” -Description “SomeDescription” -UseWReply -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signinurl -IdentifierClaim $map4.InputClaimType

Please note here that $map4 is set as an identifier claim. This is the claim with unique value.

To confirm whether Identity Token Issuer is added, you can run this powershell command – Get-SPTrustedIdentityTokenIssuer.

Step 3 – Extend the existing web application to use the Identity Token issuer created in Step 2.

1) Open central administration. Go to ‘Application management->Manage WebApplications. Select the web app where you want to use this identity provider and click on ‘Extend’ in the ribbon on top.

 2) Click on ‘Extend’ and this will open a new page. Here, deselect the checkbox that says  “Enable Windows authentication” and also the one for “NTLM”. Select a checkbox  against “Trusted Identity Provider”. You should see something like this –

Set the zone as ‘Internet’ from the drop down. set the custom Login page in a format “/CustomLogin.aspx”.

 Under “Public URL, choose the URL. Make sure it is the same as mentioned for “realM” in step 2, except that _trust is removed i.e. http://spwebappurl.



Leave a Comment

Your email address will not be published. Required fields are marked *