Thursday, March 2, 2017

Using Microsoft Azure Active Directory for SharePoint 2013 authentication


Summary: Use the Azure Access Control Service to authenticate your SharePoint Server 2013 users with Azure Active Directory.

This article explains how you can use the Azure Access Control Service to authenticate your SharePoint 2013 users with Azure AD, instead of your on-premises Active Directory. In this configuration, Azure AD becomes a trusted identity provider for SharePoint 2013. This configuration adds a user authentication method that is separate from Active Directory authentication used by the SharePoint 2013 installation itself. For more information on WS Federation, see Understanding WS-Federation.
The below diagram shows how authentication works for SharePoint 2013 users in this configuration.
ic728833

Configuration Overview

  1. Create a new Azure AD tenant and namespace.
  2. Add a WS-Federation identity provider.
  3. Add SharePoint as a relying party application.
  4. Create a rule group for claims-based authentication.
  5. Configure the X.509 certificate.
  6. Create a claim mapping.
  7. Configure SharePoint for the new identity provider.
  8. Set the permissions.
  9. Verify the new provider.

    Create ACS and Azure AD App

    Use the following steps to create a new Azure AD tenant and an associated namespace. In this example, we use the namespace "specmazureadservice"
    1. In the Azure Management Portal, click Active Directory.
    2. Click Access Control Namespaces, and create a new namespace.
    3. Click Manage on the bottom bar. This should open this location, https://specmazureadservice.accesscontrol.windows.net/v2/mgmt/web.
    4.  
    5. Go to Azure AD and create new App. In my  case the app name is 'AZ AD Tenant APP'.
    6. Put the Sign-on Url same as ACS url "https://specmazureadservice.accesscontrol.windows.net/"
    7. App ID can be any unique url. I have used the same ACS url.
    8. For Reply URL, use the same ACS url "https://specmazureadservice.accesscontrol.windows.net/"
    9. Save the App.
    10. click on the "View Endpoints" at bottom and copy "Federation Metadata Document" url.

Add a WS-Federation identity provider to the namespace

Use the following steps to add a new WS-Federation identity provider to the "specmazureadservice" namespace.
  1. From the Azure management portal, go to Active Directory > Access Control Namespaces, select the ACS created  and then click Manage.
  2. From the Azure Access Control portal, click Identity Providers > Add, as illustrated in the following figureacshome
  3. Click WS-Federation identity provider, as illustrated in the following figure, and then click Nextacs_addidprovider
Fill out the display name and logon link text, and then click Save. For the WS-Federation metadata URL, put the url copied from AD App Federation Metadata document. eg. https://login.microsoftonline.com/e0b26355-1889-40d8-8ef1-e559616defth/federationmetadata/2007-06/federationmetadata.xml. The following picture illustrates the setting.acs_addws-fedidprovider
Add SharePoint as a relying party application
  1. From the Azure Access Control portal, click Relying party applications, and then click Add, as illustrated in the following pictureacs_addrelypartapp
  2. Provide the display name  eg "ECM Azure AD Rely".
  3. provide Realm , eg - "urn:sharepoint:spapps-stg".
  4. provide Return url as your sharepoint web application url "/_trust" , eg- "http://sharepoint.com/_trust".
Select SAML 1.1 as the token format url. Select IDP and click save. Below picture gives an overview of how it looks like.acs_addrelypartysettingsacs_addrelypartysettings2

Create a rule group for claims-based authentication

  1. In the left pane, click Rule groups, and then click Add.
  2. Type a name for the rule group, click Save, and then click Generate. For the purposes of this article, we are using Default Rule Group for. ECM Azure AD Rely, as illustrated in the below picture.acs_rulegroup
    acs_rules
Click the rule group that you want to change, and then click the claim rule that you want to change. For the purposes of this article, we add a claim rule to the group to pass name as upn, as illustrated by the below picture.acs_newclaimrule

Configure the X.509 certificate

  1. In the Access Control Service pane, Click on Certificates and Keys as given in below pciture certandkeys
  2. Click on Add and copy the makecert command as highlighted in below picture.addtokensigningcert
  3. Create a new certificate with the command in local machine and export it as .pfx (with password) and .cer .
  4. Upload the TokenSigning certificate in the choose file and provide the same password.
  5. Make it primary and click save.

Create a claim mapping by using SharePoint Management Shell

Below is the script I used to configure the claim mapping and New Trusted Identity provider for Azure AD Connect.
$realm = "urn:sharepoint:spapps-stg"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("F:\Jollgin\certs\ACSTokenSigning.cer")
New-SPTrustedRootAuthority -Name "ACS EK Token Signing" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming

New-SPTrustedIdentityTokenIssuer -Name "ACS Provider" -Description "SharePoint secured by SAML in ACS" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3 -SignInUrl "https://specmazureadservice.accesscontrol.windows.net/v2/wsfederation" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

Configure SharePoint for the new identity provider

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
  2. In Central Administration, on the home page, click Application Management.
  3. On the Application Management page, in the Web Applications section, click Manage web applications.
  4. Click the appropriate web application.
  5. From the ribbon, click Authentication Providers.
  6. Under Zone, click the name of the zone. For example, Im using Custom as my web application is an extended one.
  7. On the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your provider, which for purposes of this article is ACS Provider. Click OK.
The below picture illustrates the Trusted Provider settingsptrustedidp

Set the permissions

For testing purpose, Go to user policy in web application and provide everyone read access to the web application and later on remove and give individual permissions in site level.

Verify the new provider

  1. Enter the web application url in browser.
  2. I had my custom login page and it looks like belowsplogin
  3. Click on Azure AD Connect and you will be redirected to login.microsoftonline.com. Provide you organization account or onmicrosoft account and once authenticated with Azure AD, you will be back to the SharePoint onpremise application.
With this you have acheived the WS Federation login for your on premise sharepoint application, you can have onmicrosoft account which is not in you AD and login to on premise sharepoint application.

No comments:

Post a Comment