Configuring SharePoint Server as a Service Provider

Perform the following steps to configure SharePoint Server in Access Manager as a service provider:

  1. Enable WS Federation in Identity Server. Enabling this protocol also enables the Secure Token Service (STS) protocol that is used in requests from and responses to SharePoint Server.

    1. Click Devices > Identity Servers > Edit.

    2. In the Enabled Protocols section, select WS Federation.

    3. Click OK.

    4. Update Identity Server.

  2. Create an attribute set for WS Federation.

    Claims contain formatted name-value pairs. In Access Manager, an attribute set represents the same concept. An attribute set allows you to map attribute values from your configured LDAP user store to be sent to SharePoint as a claim.

    When using WS Federation, you need to decide which attributes you want to share during authentication and map those in an attribute set. SharePoint uses these attributes to determine whether the user has permissions to access the applications and sites.

    Perform the following steps to create an LDAP mail attribute and an All Roles attribute:

    1. Click Devices > Identity Server > Shared Settings > Attribute Sets > New.

    2. Specify the following details:

      Field

      Description

      Set Name

      Specify a name that identifies the purpose of the set. For example, SP2013-AttrSet.

      Select set to use as template

      Select None.

    3. Click Next.

    4. To add a mapping for the mail attribute, perform the following steps:

      1. Click New and specify the following details.

        Field

        Description

        Local attribute

        Select LDAP Attribute:mail [LDAP Attribute Profile].

        Remote attribute

        Specify emailaddress.

        Remote namespace

        Select the option, and then specify the following namespace:

        http://schemas.xmlsoap.org/ws/2005/05/identity/claims

      2. Click OK.

    5. To add a mapping for the All Role attribute, perform the following steps:

      1. Click New.

      2. Specify the following details:

        Field

        Description

        Local attribute

        Select All Roles.

        Remote attribute

        Specify role. The name of the attribute that is used to share roles.

        Remote namespace

        Select the option and then specify the following namespace:

        http://schemas.xmlsoap.org/ws/2008/06/identity/claims

      3. Click OK.

    6. Click Finish.

  3. Enable the attribute set.

    As WS Federation uses STS, you must enable the attribute set for STS.

    1. Click Devices > Identity Server > Edit > WS Federation > STS Attribute Sets.

    2. Select SP2013-AttrSet in Available attribute sets and move it to Attribute sets.

    3. Select SP2013-AttrSet and move it to the top of the list by using the up arrow.

    4. Click OK, and then update Identity Server.

  4. Create a WS Federation service provider.

    1. Click Devices > Identity Servers > Edit > WS Federation > New > Service Provider.

    2. Specify the following details:

      Field

      Description

      Name

      Specify a name that identifies the service provider. For example, sp2013.

      Provider ID

      Specify the provider ID of the SharePoint server. This value corresponds to the realm configured on SharePoint Server. It is visible in the incoming authentication requests from SharePoint Server to Identity Server.

      The example value is urn:SharePoint:portal. This value can be any logical string and is unique to this trust relationship.

      For example, if Access Manager is providing claims to multiple SharePoint environments, each SharePoint realm must be unique.

      Sign-on URL

      Specify the URL that the user is redirected to after login. You can construct this URL by adding _trust at the end of the SharePoint web application URL.

      For example, https://sp2013.com/_trust/

      NOTE:If you use a different published DNS name than the SharePoint web application URL, then configure the sign-on URL as https://<published DNS Name:port/_trust/.

      Logout URL

      Do not specify any value. You need to configure the logout URL in SharePoint. See Configuring Logout.

      Service Provider

      Specify the path to the signing certificate exported from SharePoint Server. See Exporting the Certificates.

    3. Click Next.

    4. Confirm the certificate, and then click Finish.

  5. Configure the name identifier format.

    The default format for a new WS Federation service provider is Unspecified. This name identifier format does not work with SharePoint Server 2013 and you must change it. Additionally, the roles claims must be satisfied to gain access to SharePoint Server.

    1. Click Devices > Identity Servers > Edit > WS Federation > sp2013 > Attributes.

    2. In Attribute set, select the WS Federation attribute set you created.

    3. In Send with authentication, move All Roles and Ldap Attribute:mail attributes from Available to Send with authentication.

    4. Click Apply.

    5. Click Authentication Response.

    6. Select E-mail and then select LDAP Attribute:mail [LDAP Attribute Profile].

    7. Click OK > OK, and then update Identity Server.

  6. Set up roles for SharePoint claims.

    Based on roles assigned in Access Manager, users can have different levels of access to resources on SharePoint Server.

    1. Click Devices > Identity Servers > Edit > Roles.

    2. Click New, specify a name for the policy, select Identity Server: Roles, and then click OK.

    3. On the Rule 1 page, leave Condition Group 1 blank.

      This rule matches all authenticated users.

    4. In the Actions section, click New > Activate Role, and then specify SharePointReader.

    5. Click OK > OK > Apply Changes > Close.

    6. On the Roles page, select the role policy you just created, and then click Enable.

    7. Click OK, and then update Identity Server.

  7. Import the SharePoint Server signing certificate into NIDP Truststore.

    Identity Server must have the trusted root of the SharePoint signing certificate or the self-signed certificate listed in its trust store. Identity Server validates the SharePoint signing certificate at initialization time. This validation process must validate the issuer of the signing certificate (or chain of certificates up to the root). Most SharePoint signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the intermediate or trusted root of that certificate.

    1. Click Devices > Identity Servers > Edit > General > Security > NIDP Trust Store.

    2. Under Trusted Roots, click Add > Select Keystores icon.

    3. Click Import and specify the following details:

      Field

      Description

      Certificate name

      Specify a logical name for the SharePoint trusted root. For example, SP2013-tr.

      Certificate data file (DER/PEM/PKCS7)

      Select the previously exported SharePoint trusted root certificate.

      See Exporting the Certificates.

    4. Click OK.

    5. On the Select Trusted Roots page, select the SharePoint trusted root certificate that you just imported, and then click Add Trusted Roots to Trust Stores.

      NOTE:This option does not exist in Access Manger Appliance. All components (Identity Server, ESP, and Access Gateway share the same key store and trust stores.

    6. Next to Trust store(s), click the Select Keystore icon.

    7. Select the trust stores where you want to add the trusted root certificate and click OK > OK.

    8. Update Identity Server.