To configure your web application to use 3rd party identity provider, it is very important that you get ALL the correct X.509 certificates that is issued by Third Party Identity Provider(TPIP). These certificates establish the trust between third party identity provider and SharePoint farm.
I will soon publish another blog that will provide end to end solution to develope and configure extranet sites to use third party STS for authentication. This will cover things such as creating custom claim provider, custom login and custom http module to read claims from token and giving user an access to sharepoint site etc.
Step 1 – Add a trust with Sharepoint farm by setting these certificates as root authority.
Run the following powershell command. Replace it with your data.
$cert = “C:\SomeCertificate1.cer”
$rootcert = Get-PfxCertificate $cert
New-SPTrustedRootAuthority “SomeCertificate1” -Certificate $rootcert | Out-Null
Repeat the same for all certificates. Alternatively, you can add these trusts also through Central Administration. Go to Security-> Manage Trust-> New.
After trusts are added, you should see something like this –
Step 2 – Add the Identity Token issuer
This identity token issuer will be used as authentication provider by web application/s. To add it, run this powershell –
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“[C:\Certificates\ReplaceWithYourRootCer.cer]”)
From all the certificates issued by 3rd party issuer, there will be one Main(or root) certificate. Specify that in the above command.
$map1 = New-SPClaimTypeMapping –IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “Email Address” -SameAsIncoming
$map2 = New-SPClaimTypeMapping –IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” -IncomingClaimTypeDisplayName “First Name” -SameAsIncoming
$map3 = New-SPClaimTypeMapping –IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” -IncomingClaimTypeDisplayName “Last Name” -SameAsIncoming
$map4 = New-SPClaimTypeMapping –IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UserId” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
$signinurl = “https://thirdpartyissuer/LoginIC/Login” // This is the url of TPIP’s login page.
$ap = New-SPTrustedIdentityTokenIssuer -Name “NameOfTokenIssuer” -Description “SomeDescription” -UseWReply -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signinurl -IdentifierClaim $map4.InputClaimType
Please note here that $map4 is set as an identifier claim. This is the claim with unique value.
To confirm whether Identity Token Issuer is added, you can run this powershell command – Get-SPTrustedIdentityTokenIssuer.
Step 3 – Extend the existing web application to use the Identity Token issuer created in Step 2.
2) Click on ‘Extend’ and this will open a new page. Here, deselect the checkbox that says “Enable Windows authentication” and also the one for “NTLM”. Select a checkbox against “Trusted Identity Provider”. You should see something like this –
Set the zone as ‘Internet’ from the drop down. set the custom Login page in a format “/CustomLogin.aspx”.
Under “Public URL, choose the URL. Make sure it is the same as mentioned for “realM” in step 2, except that _trust is removed i.e. http://spwebappurl.