Monday, June 25, 2012

User Profile Service & ADFS in Multi-Tenant

For the past several weeks, I have been working in getting ADFS work in dedicated environment. The process is fairly simple once you have a server with ADFS running.
Here is a list of things you need in SP:
  1. Token Signing Certificate of ADFS Server.
  2. IIS Web Server Certificate of the server hosting ADFS.
  3. Atleast Self Signed SSL Cert of the IIS Server that is hosting SP.
  4. You need to define your claims in ADFS and then map them as well.
  5. Finally, you have to write a power shell script something like this in order to set up the new token identifier.


write-host "Adding ADSF Cert"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS\adfs.cer ")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "windowsaccountname" -SameAsIncoming
$map6 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "GroupsId" -SameAsIncoming

$realm = "urn:seo:sharepointMT"

write-host "Setting up STS in SharePoint"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5,$map6 -SignInUrl "https://ADFSServer/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

#This is ADFS Web Serv cert
$certPath = "C:\ADFS\MachineCert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certPath”)
New-SPTrustedRootAuthority “ADFS web server” -Certificate $cert

#This is the cert associated with the server running IIS/SP
$mycert = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2("C:\ADFS\VM55.cer");
New-SPTrustedRootAuthority –Name "IISSSL" –Certificate $mycert;


User Profile Service using ADFS



In order to get this to work, there are a few things that have to be done before synchronizing users.

Here is a list:
  • Port 389 has to be opened on network that has ADFS Server running.
  • An AD User who has delegate permission/replicate should be created and provided to SP
  • Then, you can  go to User Profile Service and add new connection and choose ADFS as login method. When you choose ADFS, your STS provider will be listed in a drop down. Choose that. Then, put the user and password of the AD User that was created above to save.
  • Finally, start incremental/full import.
 ADFS & Multi-Tenancy

I did not find a lot of information on this where ADFS will work in multi-tenancy. In Office 365, it works, but that is on cloud. I started on this after finishing the above 2 big technical blocks. I was able to SUCCESFULLY set up ADFS in a multi-tenant environment.

You may have a scenario where there are 2 Tenants that are connected to different ADFS servers and you only want to display the STS they are mapped to. This can be accomplished by creating a custom login page which has a drop down with the name of STS provider that tenant is mapped. This drop down can be populated in multiple ways.

UPS using ADFS in multi-Tenant

This was the grand daddy of all the above or in other words the cherry on top of this massive technical sundae. I got this to work as well. This was not bad, but the only catch here is that you have to set OU when provisioning tenants. There is a document on Harbar.net that provides details on how you set up OU, but other than that it is fairly similar to dedicated environment. The other noted difference is that you use the UPS of CA, to set up connection and so forth. However, you need to goto Tenant's CA, to see all the users.

If you are having difficulties in getting this to work, here is a list of things that you may want to check:
  • You should be able successfully login via ADFS.
  • Port 389 is open
  • User with appropriate permission has been used. (Note: A Farm Admin or System admin will not help)
  • Check Fore Front Identity Management for the successes and failures.
If the above still does not help, it is time to open SQL Server that is associated with SP. This not the thing you should be touching, but if above things are all correct, you would have to open the Profile database. In that database, look at Tenant table and look at SynchronizationOU column. This column should have the appropriate OU, you have defined for the Tenant. Then, finally look at the UserProfile_Full and ensure that the users exists and if they do, check the partition id so to ensure they are mapped to the right tenant.

3 comments:

  1. I have a sharepoint app which makes use of an ADFS2 server for authenticaiton and am trying to sync to wither the ADFS2 server or AD in order to populate the user profiles for the users who have previously logged into sharepoint via a sync.

    I think I have everyhting working - on the sync connection screen I have selected AD as the type, "Trusted Claims Provider Auth" as the Auth Provider type and the name my SAML proxy as the Auth Provider instance. After entering my username and password I am able to poulate and select the appropriate container from AD and on performing the inital sync it inports the user profiles.

    However, when I log into my app and find one of the ADFS users there have not had any of their properties populated - it is as if sharepoint has not been able to link the ADFS user with the imported AD user. Is there a step I am missing?

    Cheers,

    Dave.

    ReplyDelete
  2. Hi Port 389 need to be open on ADFS server/Proxy? As of I know ADFS is not listening on port 389. It is only listening on 443.

    ReplyDelete
  3. How did you handle ensuring that the users did not see users from other tenants in the people picker?

    ReplyDelete