Claims Based Authentication with SharePoint 2010
Architecture
Overview The
claims-based identity model for Microsoft SharePoint Foundation 2010 and
Microsoft SharePoint Server 2010 is built upon Windows Identity
Foundation (WIF), formerly code-named "Geneva" Framework
Beta. Claims-based identity is an identity model in SharePoint
Foundation 2010 and SharePoint Server 2010 that includes features such
as authentication across users of Windows-based systems and systems that
are not Windows-based, multiple authentication types,
stronger real-time authentication, a wider set of principal types, and
delegation of user identity between applications. When you build
claims-aware applications, the user presents an identity to your
application as a set of claims. One claim could be the
user’s name, another might be an e-mail address. The idea is that an
external identity system is configured to give your application all the
information it needs about the user with each request, along with
cryptographic assurance that the identity data you
receive comes from a trusted source. Under this model, single sign-on
is much easier to achieve.
5. Create a claims-enabled SharePoint web application. Click “Create new
Web Application” in Central Administration and select the “Claims Based
Authentication” radio-button in the Authentication section. Create the
base site collection after this.
Figure 1: Issuers, security tokens, and applications
Figure 2: ADFS functions
Steps
- Create a local server instance with W2K8 R2, Sql Server and set it up as a domain controller
- Install ADFS 2.0 RC
- Open the command prompt and browse to the ADFS installation folder cd "%programfiles%\Active Directory Federation Services 2.0"
- Configure
ADFS with your database instance (instead of the default internal
database). From the command prompt, type the following and fill in your
details:
FsConfigWizard.exe -sqlhost: -sqlinstance: -servacct: -servpass: [-dropdb]
Parameter Description -sqlhost Sets the value. Specifies the name of the computer that is running an instance of SQL Server for use with AD FS 2.0. For example, if the local computer is to be specified, type localhost here. -sqlinstance Sets the value. Specifies the name of the SQL Server database instance to be used as the database. For example, to specify that a default Structured Query Language (SQL) instance that AD FS 2.0 Setup creates is to be used, type SQLEXPRESS here. -servacct Sets the value. Specifies the name of the Active Directory service account to use for running the AD FS 2.0 service. For example, to specify that the Network Service account for the Contoso domain be used, type CONTOSO\NetworkService here. -servpass Sets the value. Specifies the password text for the account set using the -servacct parameter. -dropdb (Optional.) If this parameter is specified, it deletes or overwrites any existing database if one is found to exist. If this parameter is omitted, and an existing AD FS 2.0 database is located it will be used. If no parameter is specified and no existing database is located, the database will be created as needed. To create the database, AD FS 2.0 uses the hosted SQL Server instance that is set using the -sqlhost and -sqlinstance parameters.
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[YOUR_STS_SIGNING_CERT].cer")
$map1 = New-SPClaimTypeMapping
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-IncomingClaimTypeDisplayName "EmailAddress"
-SameAsIncoming $realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/" $ap =
New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS
2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert
-ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim
$map1.InputClaimType
Configure Role Powershell Script
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[YOUR_STS_SIGNING_CERT].cer") $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $realm = "urn:" + $env:ComputerName + ":adfs" $signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/" $ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimTypeHINT: You can copy and paste the above PowerShell commands into a text file. Save the text file with the .ps1 extension and you will be able to execute the file from within PowerShell. Be sure to launch “SharePoint 2010 Management Shell” as this will load all the SharePoint related extensions. 11. You should now be able add the Federated Identity Provider in Central Administration. Navigate to Web Applications Management, highlight the web application, and click the Authentication Providers button in the ribbon. You should now see your new provider in the Federated Identity Provider section of the Edit Authentication window
No comments:
Post a Comment