Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-09-20) Claims Based Authorizations For Sharepoint Through ADFS (Part 7)

Posted by Jorge on 2012-09-20


For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 6)

Now we need to create a relying party trust for the SP2010 web application and configure that accordingly! You can do that through the GUI or through PowerShell. I’m going to create the RP trust through the GUI and the configure it (issuing transform rules and authorization transform rules) through PowerShell.

Start the ADFS v2.0 MMC and navigate to the “AD FS 2.0\Trust Relationships\Relying Party Trusts” node. Right-click it and select the “Add Relying Party Trust…” option.

Click on “Start”.

image

Figure 1: The Add Relying Party Trust Wizard – Welcome Screen

Select the option “Enter data about the relying party manually” and click on “Next >”. By the way, for more information about all the three options about creating a federation trust, see: (2012-08-31) Leveraging Federation Metadata To Setup A Federation Trust (Claims Provider Or Relying Party)

image

Figure 2: The Add Relying Party Trust Wizard – Select Data Source

Specify a display name (e.g. Claims Based Sharepoint App) and click on “Next >”

image

Figure 3: The Add Relying Party Trust Wizard – Specify A Display Name

For the SP2010 web application select the “AD FS 2.0 profile” and click on “Next >”

image

Figure 4: The Add Relying Party Trust Wizard – Choose Profile

The connection to the SP2010 is already secured by SSL and therefore the security token, which is transmitted over the same connection, will also be secured by that! So, it is not needed to additionally encryption the security token itself. I honestly do not know if SP2010 supports this or not. If SP2010 would support this and you would want to enable it, you would need to provide the public part of the token decryption from SP2010. When encrypted, SP2010 would use its private key to decrypt the encrypted security token. In addition, after creating this RP trust, we also need to force ADFS not to encrypt the security token when using this RP trust.

So in this case, just click on “Next >”.

image

Figure 5: The Add Relying Party Trust Wizard – Token Decryption Certificate From Web App (RP)

Select the option “Enable support for the WS-Federation Passive Protocol” and specify the exact same URL as when the web application was created in SP2010 and add the _trust part to it. So, in total the URL should something like “https://app-claims.adcorp.lab:446/_trust/” (without the quotes).

image

Figure 6: The Add Relying Party Trust Wizard – URL

By default ADFS uses the URL as the identifier. Whatever identifier is used is not important. The only important things to remember are that it must be unique and it must be exactly the same (case-sensitive!) as what has already been configured within the SP2010 web application. In this case that would be: urn:app:sharepointclaimsapp

Add the identifier, click "on “Add” and click on “Next >”.

image

Figure 7: The Add Relying Party Trust Wizard – Configuring Identifiers

By default you can only configure “Permit All” or “Deny All”. After the creation of the RP trust you can configure all kinds of complicated conditions if you want to!. For now select the option “Permit all users to access this relying party” and click on “Next >”.

image

Figure 8: The Add Relying Party Trust Wizard – Issuance Authorization Rules

This page lists through the different tabs the configured options. Review them all and after that click on “Next >”.

image

Figure 9: The Add Relying Party Trust Wizard – Summary

By default the option “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” is selected. At this time UNcheck it as we will further configure the RP trust through PowerShell.

image

Figure 10: The Add Relying Party Trust Wizard – Finishing

To get the full configuration of the just created RP trust “Claims Based Sharepoint App”, use the following powershell command

Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App"

image

Figure 11: The Configuration Of The RP Trust “Claims Based Sharepoint App”

First, we are going to disable security token encryption on the RP trust “Claims Based Sharepoint App”.

Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App" | FL Name,EncryptClaims Set-ADFSRelyingPartyTrust -TargetName "Claims Based Sharepoint App" -EncryptClaims $false Get-ADFSRelyingPartyTrust "Claims Based Sharepoint App" | FL Name,EncryptClaims

image

Figure 12: Disabling Encryption Of The Security Token For The RP Trust “Claims Based Sharepoint App”

For the next part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 8)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

One Response to “(2012-09-20) Claims Based Authorizations For Sharepoint Through ADFS (Part 7)”

  1. […] Server Core (2) « (2012-09-20) Claims Based Authorizations For Sharepoint Through ADFS (Part 7) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: