Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-09-15) Claims Based Authorizations For Sharepoint Through ADFS (Part 2)

Posted by Jorge on 2012-09-15


For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 1)

Now I’m going to define the claims within SP2010 that the trusted ADFS STS is able to issue for SP2010. SP2010 will be made aware of these claims when creating the authentication provider within SP2010 later on. By the way, the claims shown as specific to my environment and most likely may not, or even are not, used within your own environment. Before continuing with the PowerShell code below, make sure to start the Sharepoint Management Shell first.

# Define The Identity Claims To Identify The User $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email Address" –SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Logon uPNAccount" –SameAsIncoming $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "Logon sAMAccount" –SameAsIncoming $map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "First Name" –SameAsIncoming $map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "Last Name" –SameAsIncoming $map6 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/displayname" -IncomingClaimTypeDisplayName "Display Name" –SameAsIncoming $map7 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/adobjectdn" -IncomingClaimTypeDisplayName "AD Distinguished Name" –SameAsIncoming $map8 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/windowsdomainnamenetbios" -IncomingClaimTypeDisplayName "Windows Domain Name (NBT)" –SameAsIncoming $map9 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/windowsdomainnamefqdn" -IncomingClaimTypeDisplayName "Windows Domain Name (FQDN)" –SameAsIncoming $map10 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/company" -IncomingClaimTypeDisplayName "Company" –SameAsIncoming $map11 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/objectstatus" -IncomingClaimTypeDisplayName "Object Status" –SameAsIncoming # Define The AuthZ Claims $map12 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/authzbyorg" -IncomingClaimTypeDisplayName "Global AuthZ By Org" –SameAsIncoming $map13 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/authzforappclaims" -IncomingClaimTypeDisplayName "AuthZ For App (Claims)" –SameAsIncoming # Define The Role Claim To Be Used For Authorizations Within SP2010 $map14 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming # Define The Source/Target Location Claims As Introduced In ADFS v2.0 Rollup Package 1 # (Also See: https://jorgequestforknowledge.wordpress.com/2011/10/24/configuring-the-new-five-claim-types-in-adfs-after-installing-rollup-package-1-for-adfs-v2-0/) $map15 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" -IncomingClaimTypeDisplayName "Through Proxy" –SameAsIncoming $map16 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" -IncomingClaimTypeDisplayName "Client IP" –SameAsIncoming $map17 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" -IncomingClaimTypeDisplayName "Endpoint Absolute Path" –SameAsIncoming $map18 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" -IncomingClaimTypeDisplayName "Client User Agent" –SameAsIncoming $map19 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" -IncomingClaimTypeDisplayName "Client Application" –SameAsIncoming # Define The Targeted Application Claim $map20 = New-SPClaimTypeMapping -IncomingClaimType "http://temp.org/targetedapp" -IncomingClaimTypeDisplayName "Targeted Application" –SameAsIncoming

The output of that all can be seen in the picture below.

image61111_thumb2_thumb1

Figure 1: Defining All The Claims That Can Be Used Within Sharepoint 2010 When Send From The Trusted ADFS STS

Now I’m going to define the federation service identifier (realm) that defines the application within both SP 2010 and ADFS v2.0 and finally I will define the sign-in URL within ADFS v2.0. SP2010 will be made aware of these claims when creating the authentication provider within SP2010 later on. By the way, federation service identifier is case-sensitive, so do not shoot yourself in the foot by making it complicated. Choose either case and use that. If you need to specify the same name in multiple locations and you use different cases, then you will be troubleshooting after that, because it will not work. I have learned myself to use lower-case.

# Import The ADFS Snap-In Add-PSSnapin Microsoft.Adfs.PowerShell # Get The ADFS Service Name $adfsServiceName = (Get-ADFSProperties).HostName.ToLower() $adfsServiceName # Get The Passive Federation Address Within ADFS $adfsFedPassiveAddress = (Get-ADFSProperties).FederationPassiveAddress $adfsFedPassiveAddress # Define The Realm For Sharepoint That Identifies It Within Sharepoint And ADFS $realm = "urn:app:sharepointclaimsapp" # Define The Signin URL $signInUrlADFS = "https://" + $adfsServiceName + $adfsFedPassiveAddress $signInUrlADFS

The output of that all can be seen in the picture below.

image1411_thumb2_thumb1

Figure 2: Defining Federation Service ID For The Claims Based Web Application And The Sign-In URL Within ADFS

Now with all that information it is time to define the trusted authentication provider within SP2010.

# Create the new authN provider within sharepoint $AuthNProvider1 = New-SPTrustedIdentityTokenIssuer -Name "ADCORP ADFS v2 STS" -Description "Secured By ADFSv2 @ ADCORP" –Realm $realm -ClaimsMappings $map1,$map2,$map3,$map4,$map5,$map6,$map7,$map8,$map9,$map10,$map11,$map12,$map13,$map14,$map15,$map16,$map17,$map18,$map19,$map20 -ImportTrustCertificate $ADFSTokenSigningCertSP2010 -SignInUrl $signInUrlADFS -IdentifierClaim $map1.InputClaimType # Get the configured provider in Sharepoint Get-SPTrustedIdentityTokenIssuer

The output of that all can be seen in the picture below.

image25_thumb2_thumb1

Figure 3: Creating The Trusted Authentication Provider Within Sharepoint 2010

REMARK: if you have multiple SP2010 Web Application supporting claims you need to define their identifier. To read how to do this see either http://blogs.technet.com/b/speschka/archive/2010/04/27/how-to-create-multiple-claims-auth-web-apps-in-a-single-sharepoint-2010-farm.aspx or http://blog.auth360.net/2011/03/28/adding-multiple-claims-aware-web-applications-to-a-sharepoint-2010-farm/ 

For the next part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 3)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

One Response to “(2012-09-15) Claims Based Authorizations For Sharepoint Through ADFS (Part 2)”

  1. […] For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 2) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: