(2012-09-20) Claims Based Authorizations For Sharepoint Through ADFS (Part 7)
Posted by Jorge on 2012-09-20
-
For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 6)
-
Now we need to create a relying party trust for the SP2010 web application and configure that accordingly! You can do that through the GUI or through PowerShell. I’m going to create the RP trust through the GUI and the configure it (issuing transform rules and authorization transform rules) through PowerShell.
Start the ADFS v2.0 MMC and navigate to the “AD FS 2.0\Trust Relationships\Relying Party Trusts” node. Right-click it and select the “Add Relying Party Trust…” option.
Click on “Start”.
Figure 1: The Add Relying Party Trust Wizard – Welcome Screen
-
Select the option “Enter data about the relying party manually” and click on “Next >”. By the way, for more information about all the three options about creating a federation trust, see: (2012-08-31) Leveraging Federation Metadata To Setup A Federation Trust (Claims Provider Or Relying Party)
Figure 2: The Add Relying Party Trust Wizard – Select Data Source
-
Specify a display name (e.g. Claims Based Sharepoint App) and click on “Next >”
Figure 3: The Add Relying Party Trust Wizard – Specify A Display Name
-
For the SP2010 web application select the “AD FS 2.0 profile” and click on “Next >”
Figure 4: The Add Relying Party Trust Wizard – Choose Profile
-
The connection to the SP2010 is already secured by SSL and therefore the security token, which is transmitted over the same connection, will also be secured by that! So, it is not needed to additionally encryption the security token itself. I honestly do not know if SP2010 supports this or not. If SP2010 would support this and you would want to enable it, you would need to provide the public part of the token decryption from SP2010. When encrypted, SP2010 would use its private key to decrypt the encrypted security token. In addition, after creating this RP trust, we also need to force ADFS not to encrypt the security token when using this RP trust.
So in this case, just click on “Next >”.
Figure 5: The Add Relying Party Trust Wizard – Token Decryption Certificate From Web App (RP)
-
Select the option “Enable support for the WS-Federation Passive Protocol” and specify the exact same URL as when the web application was created in SP2010 and add the _trust part to it. So, in total the URL should something like “https://app-claims.adcorp.lab:446/_trust/” (without the quotes).
Figure 6: The Add Relying Party Trust Wizard – URL
-
By default ADFS uses the URL as the identifier. Whatever identifier is used is not important. The only important things to remember are that it must be unique and it must be exactly the same (case-sensitive!) as what has already been configured within the SP2010 web application. In this case that would be: urn:app:sharepointclaimsapp
Add the identifier, click "on “Add” and click on “Next >”.
Figure 7: The Add Relying Party Trust Wizard – Configuring Identifiers
-
By default you can only configure “Permit All” or “Deny All”. After the creation of the RP trust you can configure all kinds of complicated conditions if you want to!. For now select the option “Permit all users to access this relying party” and click on “Next >”.
Figure 8: The Add Relying Party Trust Wizard – Issuance Authorization Rules
-
This page lists through the different tabs the configured options. Review them all and after that click on “Next >”.
Figure 9: The Add Relying Party Trust Wizard – Summary
-
By default the option “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” is selected. At this time UNcheck it as we will further configure the RP trust through PowerShell.
Figure 10: The Add Relying Party Trust Wizard – Finishing
-
To get the full configuration of the just created RP trust “Claims Based Sharepoint App”, use the following powershell command
Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App"
Figure 11: The Configuration Of The RP Trust “Claims Based Sharepoint App”
-
First, we are going to disable security token encryption on the RP trust “Claims Based Sharepoint App”.
Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App" | FL Name,EncryptClaims Set-ADFSRelyingPartyTrust -TargetName "Claims Based Sharepoint App" -EncryptClaims $false Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App" | FL Name,EncryptClaims
Figure 12: Disabling Encryption Of The Security Token For The RP Trust “Claims Based Sharepoint App”
-
For the next part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 8)
-
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Claims Based Authorizations For Sharepoint Through ADFS (Part 8) « Jorge's Quest For Knowledge! said
[...] Server Core (2) « (2012-09-20) Claims Based Authorizations For Sharepoint Through ADFS (Part 7) [...]