Share via


SharePoint 2013: Using Azure Active Directory for SharePoint 2013 authentication

Introduction

SharePoint supports the SAML Profile for single sign-on out of the box. This post provides guidelines to configure Azure AD service as Identity Provider.

Create Azure AD tenant and namespace

Use the following steps to create a new Azure AD tenant and an associated namespace. In this example, we use the namespace “saml11acs2”. This can be done using Azure Portal or Powershell.

Using Azure Portal;

  1. In the Azure Management Portal, click Active Directory, and then create a new Azure AD tenant.

  2. Click Access Control Namespaces, and create a new namespace.

  3. Click Manage on the bottom bar. This should open this location, https://saml11acs2.accesscontrol.windows.net/v2/mgmt/web.

Using Powershell;

  1. Open Windows PowerShell. Use the Microsoft Online Services Module for Windows PowerShell, which is a prerequisite for installing the Azure for Windows PowerShell cmdlets.

  2. From the Windows PowerShell command prompt, type the command: Connect-Msolservice, and then type your credentials.

  3. From a Windows PowerShell command prompt, type the following commands:

Import-Module MSOnlineExtended –Force

$replyUrl = New-MsolServicePrincipalAddresses -Address https://saml11acs2.accesscontrol.windows.net/

New-MsolServicePrincipal -ServicePrincipalNames @("https:// saml11acs2.accesscontrol.windows.net/") -DisplayName "SAML ACS Namespace" -Addresses $replyUrl

Add a WS-Federation identity provider to the namespace

Use the following steps to add a new WS-Federation identity provider to the saml11acs2 namespace.

  1. From the Azure management portal, go to Active Directory > Access Control Namespaces, click Create a new instance, and then click Manage.

  2. From the Azure Access Control portal, click Identity Providers > Add, as illustrated in the following figure.

    https://lh5.googleusercontent.com/-lDJkZCrZzkL9pTF6vLrXhQZKnkEDfcJon4wj6oIe94xgGpzn2hyDa9rlIvleFboAW5Ii9YIM3neuhIIb7JdMYlYZnVpsBSGrY5dZEj-U_bwz8yIg84M6RNaVLLbqy5V_Z-eNNNNzIoYuVANwg

  3. Click WS-Federation identity provider, as illustrated in the following figure, and then click Next.

    https://lh6.googleusercontent.com/zDkXJq7abYDjQDfHCdwUjrebCnWjUV_hS5kp4EeZUr7_2MQz8_QiE1p9Ho2fUvYHrKXEZ5ks23uGyfraEsszID3BjAXNSGlLqAe6YxjovDkIi6wo3nqyeRIVuyb6P9LnqiVxd28c2mz7MhEZxg

  4. Fill out the display name and logon link text, and then click Save. For the WS-Federation metadata URL, type https://accounts.accesscontrol.windows.net/saml11acs2.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml. The following figure illustrates the setting.

         https://lh6.googleusercontent.com/EXseRxBwYqHGJx5CnLaFqBpbOIqPXRpf9mgFS1uncaVv78JCIQCeO48jsag6TkVqyY0eQ7xI2BOiMHUPcZIMKqvmkmqLizVaOZEhSnltvGpX_rwGVZ40iOd08TTU1N1dUVgMv3S0AvHR8wZ26A

    Add SharePoint as a relying party application

    Use the following steps to add Web Framework Portal as a relying party application.

    From the Azure Access Control portal, click Relying party applications, and then click Add, as illustrated in the following figure.

    https://lh4.googleusercontent.com/T02WdRl6_P75sdBwgah4UYHEZKKmU9v3mrsrD7wO3N9si0aGcquQ828ZEy2XFd1A-cTZ3lBCqp_TpWsWIqcm_1EfnetQKalBaeHfnUpdcz2tHwNsXwTDH5waXGYnXrlKHUmL8dvgYAIaONLzLw

    https://lh4.googleusercontent.com/DYlNZlRrcdxdWdSkKXMYOu_TAlAO5JNBr2-Fgs2NlSA5AzVqRYaKB-EKMmA1B3ShPxbLRyRRh0D-8wFomCPnIj2RQTAeHEibSgywTsRo0Ax5M1d4b1zeafcBshtymbXNrXG0zHch1tcxpIskcQ

    Configure End Points

    1. From the Access Control services portal, add a relying party, as illustrated in the following figure.

    https://lh6.googleusercontent.com/snbu-JcNtZhlCjuB7mFpVoHiMW-v3vFYOGcVPquvY8WfYbmT4shrM-J3IuIrVCJfPek2ML2PCWhFL3t9kxZuFW6YIvI-B1GwrAzedTcJpkp8csAmkWCz-edcHkMz2acCTo2XWOHpkLrKyILIfw

    Create a rule group for claims-based authentication

    Use the following steps to create a new rule group to control claims-based authentication.

    1. In the left pane, click Rule groups, and then click Add.

    2. Type a name for the rule group, click Save, and then click Generate. For the purposes of this article, we are using Default Rule Group for SharePoint, as illustrated in the following figure.

      https://lh4.googleusercontent.com/JjqHa8mVC2zLR1Dz1x-HZovXKvLCuwUf0Jppbvldzupq1e83QSqvHH3TQazbTa1gDVWn5TGxSltOlzukglrzBmOvLJC_Ed0bK3LM5Q1utgVRTYKP3tqzJKPJSWdhavBIh__FV1-yf1QKyIMPrw

    3. Click the rule group that you want to change, and then click the claim rule that you want to change. For the purposes of this article, we add a claim rule to the group to pass name as emailaddress, as illustrated by the following figure.

      https://lh4.googleusercontent.com/6CZROj3QYknNDPlozaPX67j9xz0bOeTOImw88aLj3AbWd8p4dJdbjYE-5GicrgNG7Vi9YVKlWJK-8f0h24VjbCIgUUmKV8-pjVP1dIoNVxYBaBE9WFVBJj6mj6Rvf-Aj_WiNR06qYPiqnrPjyg

    4. Delete the existing claim rule named name

    Configure the X.509 certificate

    Use the following steps to configure the X.509 certificate to use for token signing.

    1. In the Access Control Service pane, under Development, click Application integration.

    2. In Endpoint Reference, locate the Federation.xml that is associated with your Azure tenant, and then copy the location in the address bar of a browser.

    3. In the file, locate the RoleDescriptor section, and copy the information from the <X509Certificate> element, as illustrated in the following figure.

    https://lh4.googleusercontent.com/2zgsFki-N5wSkrnQCMr5RRTj0KA5iOhg5qc3ibX9ZIRs8_-eyQIXGpnhtlVHlVzRu6nuqZu-giDFLk_X4pWxDAzo7yx-z8fjKTq7eDCEQoqtLRrEmeZvhxkGekIb1BwpuBEJmMf2aP7hy5nnRQ

    1. From the root of drive C:\ create a folder named Certificates.

    2. Save the X509Certificate information to the folder C:\Certificates with the file name, AcsTokenSigning.cer.

    Define the certificate used to validate the signed WSFed assertion

    Open "SharePoint Management Shell" on SharePoint server and execute the lines codes to create a claim mapping:

    • $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certificates\AcsTokenSigning.cer")

    • New-SPTrustedRootAuthority -Name "Azure Certificate" -Certificate $cert

    • $email=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

    • $realm = "urn:sharepoint:acs2"

    • $x=New-SPTrustedIdentityTokenIssuer -Name "WAAD" -Description "Azure Identity Provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $email -SignInUrl "https://saml11acs2.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aacs2" –IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Configure the site to use Trusted Identity Provider

    Open "SharePoint 2013 Central Administration" on SharePoint server and create new Web Application with SSL Enabled or update existing Web Application.

    1. Navigate - "Application Management" 

    2. Click - "Manage web applications"

    https://lh5.googleusercontent.com/TeOQmYq2ziF5BSOV9we-p9Ipc0YkirWPCavhniPjV04_ROdXGda9g5jRnwtTWAcdyDcVucZMe7N9kZyd83MvwOzO4ks_Y2A3QhtdsR-b20oiIRRlk1xpq697T-Pp0FaksaY3DaeY7NCaNLGNrA

    1. Select a SharePoint Web Application w/ SSL Enabled. Note: "SharePoint Central Administrator" can NOT be used with SSO.

    2. Click "Authentication Providers" from the top menu options.

    3. Click "Default - Claims Based Authentication"

    https://lh6.googleusercontent.com/x8lhE3wgMmiMQxQ4Khh65jOl9DGdlDmH8uhI3hHJ4hHGxDyXHnfHB75lXceQKpjV9y6ZLij4czFlw_08MC3gg34lENa44XQ76iwjmc5IYGXS6e_8l9Q2-eKSsc9yIafzAaiOHVUtBKUdIyQStQ

    https://lh5.googleusercontent.com/hGsmIz4uBqqof91ihui13Fyq6uyeFOHNo0y5TB488euc4I7v8I3dHyTqbWPorGLMNlULkAEmuZBDIcdmw92n9n-5WYG2zIPEzn-wvc84c_lB6lNkonGfK_1VUjCqsF-NR9RZlkt9UHtD6uWhlw

    1. Click "Save"

    Define the Initial Users

    1. Select the web application for which Azure IdP is configured

    2. Select "User Policy" from the menu ribbon to bring up the "Policy for Web Application" dialog box.

    https://lh6.googleusercontent.com/zgkC57nqMN0O-bLKJsltbCYTXTvc9onSBNjmje9vXoraNcbFS1ktso76bz176jU9NoR32myC08g_hsyl2O5x-LODMKRhAog9YKI7XNqhJWx-I6AwpkW8-427I5SMeaQ6d4V-tbOv6CJeC4RArQ

    1. Select "Add Users" in the menu ribbon.

    2. Select the appropriate zone or select the default "All Zones" and select the "Next" button.

    3. From the "Add Users" dialog, select the people picker book in the "Choose Users" section.

    4. Select the Trusted Identity Provider in the left frame and enter a group or account name to grant access in the "Find" text box at the top.

    5. Click Ok

    6. Select the Permissions intended for the user or group.

    7. Select the "Finish" button to go back to the "Policy for Web Application" Dialog.

    8. Select the "OK" button to close.

    Login to SharePoint

    1. Use the following steps to verify that the new identity provider is working by ensuring that the new authentication provider appears on the sign-in prompt.

    https://lh5.googleusercontent.com/-L1U78wzQihcXfg7_oRcHFx29Ea9dCwm_WOxbBX-dfZmzTKNgRWA3hxwiStlDYhC6mDMFxIRguZlKop_8U03TEPMzG49hf1gyGtY8QX9RegpZAkrdNusoN2wXs8ay9WJVTfQL6pSFmL29xLguw

    1. Click on the Identity provider that is mapped to the portal

    2. Login with WAAD credentials

    https://lh3.googleusercontent.com/y3jsUGUCjtq7k9dNpG0MeVr0YtVGQo7-wYhykaF_njMMawu3so0InpacvdBz4oeqYFO2mlDyYDk4ztahOeCxfYb1TGETsOsXbsqatPSStFzz7jQAJIgnjzOF0nX-qEfg9uMQklITDcxFEJdEpQ