Configuring SharePoint Server for Claims-based Authentication

Create the Access Manager Identity Server STS for the trust relationship with SharePoint.
1. Copy the certificates that you exported from Administration Console to the SharePoint server.
2. Add the Identity Server trusted root certificate to the SharePoint Server list of trusted root authorities by using the following PowerShell script:
```
$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\users\<administrator>\downloads\<certificate.cer>")

New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root
```
3. Create the cert parameter by using the Identity Server signing certificate.
```
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\users\<administrator>\downloads\<certificate.cer>")
```
4. Map the claims. The incoming claims are the remote attribute names that are defined in the Access Manger attribute set.
  
  The name and the case must match with the value in the attribute mapping. For example, let us assume that you defined emailaddress and role and these are appended to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ and http://schemas.microsoft.com/ws/2008/06/identity/claims/ name spaces respectively.
  
  In this example, the script to define the claims looks similar to the following:
```
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "emailaddress" -SameAsIncoming
```
5. Define the realm. The realm defined here must match the provider ID that you specified while creating the service provider in Access Manager. For example, you can define the realm as urn:SharePoint:portal by using PowerShell with the following script:
```
$realm = "urn:SharePoint:portal"
```
6. Configure the Access Manager URL by using the following parameter.
```
$signinurl = http(s)://<$idp_host_name>/nidp/wsfed/ep
```
  When users access SharePoint with claims-based authentication enabled and need a claim to get authenticated and authorized, they need to send the request to Identity Server to generate the claim. SharePoint uses this URL to send the authentication requests.
7. Assign the custom IP-STS in PowerShell by using the following script:
```
$ap = New-SPTrustedIdentityTokenIssuer -Name "NAM-WSFED-IDP/" -Description "NAM WSFED Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2 -SignInUrl $signinurl -IdentifierClaim $map2.InputClaimType
```
  The -Name option is the display name that is used in SharePoint to assign the identity provider.
Create or modify SharePoint applications to use the claims-based authentication.

The application, for which you want to enable claims-based authentication, must be a secure application that uses SSL. Ensure that you have assigned the server certificate (that you have imported into Access Manager) to the website binding in IIS.

You also need to create a Site Collection for this application if it does not exist. When the application is created as a secure application, it creates the /_trust directory that is defined in Access Manager as the service provider’s login directory.

Access Manager sends claim to this URL when the users credentials are validated successfully.
1. In SharePoint Central Administration, go to Manage Web Applications > [Application Name] and select Authentication Providers.
2. Select Trusted Identity provider and select the claim-based authentication provider. In Trusted Identity Provider, select the Access Manager identity provider (NAM-WSFED-IDP).
3. Map the incoming claim to a SharePoint application. For example, lets map the SharePointReader role from Access Manager to a SharePoint application named SP2013 Application.
  1. Log in to the SharePoint site as an admin user.
  2. Click Site Actions > Site Settings > People and Groups > [site] > New. Specify the name of the Access Manager claim that you want to map to this SharePoint group in Find. For example, if the name of the claim is SharePointReader, the following are the two claim-based entries:
    NAM-WSFED-IDP entry with emailaddress
    NAM-WSFED-IDP entry with Role as options
  3. Highlight the role in Trusted and click Add > OK > OK.
4. Select the permissions for the users with these roles.