Using Microsoft Azure Active Directory for SharePoint 2013 authentication
Summary
The blog post explains how to use the Azure access control service to authenticate you SharePoint Server 2013 users with Azure Active directory.
There are several reason why this would be a convenient solution:
- It integrates with SharePoint 2013 in the same way as any other authentication provider (claims based)
- Users from active directory could be synced to the Azure directory (using DirSync) – this eliminates the need for users to authenticate over VPN/trust, avoiding the problems this has been causing when the VPN has been re-keying
- Users from other active directories can also be synced into Azure directory, so those users can authenticate
- Users from other membership systems (e.g. Windows Live ID) can also be added to the same directory, so users can use those credentials if required
- Ad-hoc users can also be added to the directory, for users that don’t have any existing credentials.
- Azure directory can federate with other directories/membership providers so users from those organizations can use their own credentials to authenticate to SharePoint.
Prerequisites
- Ensure you have PowerShell 2.0 or higher installed
- You have the Azure Rights Management Administration Tool installed http://www.microsoft.com/en-us/download/details.aspx?id=30339
- You already have a web facing SharePoint publishing site which uses HTTPS
Steps that need to be completed
- Create a new Azure AD tenant and namespace.
- Add a WS-Federation identity provider.
- Add SharePoint as a relying party application.
- Create a rule group for claims-based authentication.
- Configure the X.509 certificate.
- Create a claim mapping.
- Configure SharePoint for the new identity provider.
Create a new Azure AD tenant and namespace
- Log on to your Azure Management Portal https://manage.windowsazure.com
- Click on +New which can be found in the bottom left hand corner
- Click on APP SERVICES, select ACTIVE DIRECTORY, select ACCESS CONTROL and click on QUICK CREATE
- In NAMESPACE enter a name for your access control namespace, choose a REGION and click CREATE
- Open the Access Control Service web page by clicking on ACTIVE DIRECTORY in the left hand menu, click on ACCESS CONTROL NAMESPACES in the top menu, select your name space and click on MANAGE at the bottom of the page.
The following web page will open https://yournamespace.accesscontrol.windows.net/v2/mgmt/web
- Open PowerShell as an administrator and run the following commands:
Connect-MsolService
You will be prompted for your Azure credentials, enter them and click OK
Import-Module MSOnlineExtended -Force
This will import the required PowerShell module which you installed as part of the prerequisites.
$replyUrl = New-MsolServicePrincipalAddresses -Address “https://yournamespace.accesscontrol.windows.net/”
Replace the URL with the URL of the access control service web page you opened earlier up to the first /
New-MsolServicePrincipal -ServicePrincipalNames @(“https://fuseadazure.accesscontrol.windows.net/”) -DisplayName “Fuse Azure AD Namespace” -Addresses $replyUrl
The final output will look like this:
DisplayName : Your Namespace
ServicePrincipalNames : {https://yournamespace.accesscontrol.windows.net/, e7f11c00-d714-4e36-8428-f7f2e6d219ca}
ObjectId : ee826535-0e1e-4b01-ac0a-2d62653df85a
AppPrincipalId : e7f11c00-d714-4e36-8428-f7f2e6d219ca
TrustedForDelegation : False
AccountEnabled : True
Addresses : {Microsoft.Online.Administration.RedirectUri}
KeyType : Symmetric
KeyId : 76e02056-d931-4fcb-bacb-77af2dd73041
StartDate : 11/12/2014 12:02:52
EndDate : 11/12/2015 12:02:52
Usage : Verify
Add a WS-Federation identity provider
- Open the access control service web page and click Identity providers and click on Add
- Select WS-Federation identity provider and click Next
- In Display name enter a name for your identity provider
- Under WS-Federation metadata tick URL and enter:
where [yourazureurl] is that URL of your Azure tenant. To get this log into your Azure portal and the tenant name is after https://manage.windowsazure.com/
e.g. If the URL showing when you log into Azure was https://manage.windowsazure.com/fusecollaboration.com then you would enter fusecollaboration.com as [yourazureurl]
- In Log link text enter the text that you want to show in the drop down list when users select an authentication method and click Save
Add SharePoint as a relying party application
- Open the access control service web page and click on Relying party applications and click Add
- Enter a Name for the relying party application
- In Realm enter urn:sharepoint:spvms
- In Return URL enter your SharePoint web application URL followed by /_trust/
- In Token format select SAML 1.1
- Under Identity providers select your identity provider and click Save
Create a rule group for claims-based authentication
- Click on Rule Groups and click Add
- Enter a name for the rule group and click save
- In Used by the following relying party applications select the application you created earlier
- Click Add, in the Identity Provider drop down select the provider you created earlier
- In the Input claim type section click on Select Type, click the drop down list and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- In the Output claim type section click on Select Type and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn from the drop down list
- Click on Save
Configure the X.509 certificate
- Under Development click on Application integration
- Locate WS-Federation Metadata and copy the URL to the right of it and open this address in a new browser tab/window
- In the XML file that is displayed locate the line <X509Certificate>
- Copy the string between <X509Certificate> and </X509Certificate>
- Open a new notepad file on your SharePoint server and paste the string into the file
- Save the file as c:\certificates\AcsTokenSigning.cer
Create a claim mapping
Log onto your SharePoint WFE Server with a farm administrators account and open PowerShell
Enter the following commands:
1.$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(���������������C:\Certificates\AcsTokenSigning.cer”)
2.New-SPTrustedRootAuthority -Name “Token Signing” -Certificate $cert
3.$map = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
4.$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming
5.$map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming
6.$realm = “urn:sharepoint:spvms”
7.$ap = New-SPTrustedIdentityTokenIssuer -Name “Provider” -Description “SharePoint secured by SAML in ACS” -realm $realm -ImportTrustCertificate $cert
8.-ClaimsMappings $map,$map2,$map3 -SignInUrl “https://fuseadazure.accesscontrol.windows.net/v2/wsfederation” -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
Configure SharePoint for the new identity provider
- Log onto your SharePoint WFE Server with a farm administrators account and open Central Administration.
- Click on Application Management and click on Manage web applications
- Select your web facing web application and click on Authentication Providers
- Under Zone click the name of the web facing zone i.e. default
- Scroll down to the Claims Authentication Types section, select Trusted identity provider, select the provider and click OK
Using the Solution
Once you have completed these steps you will see a new screen when you log onto SharePoint. This screen will show a drop down list for selecting the authentication type you want to use. Your provider will show in the list.