Here is a list of things you need in SP:
- Token Signing Certificate of ADFS Server.
- IIS Web Server Certificate of the server hosting ADFS.
- Atleast Self Signed SSL Cert of the IIS Server that is hosting SP.
- You need to define your claims in ADFS and then map them as well.
- Finally, you have to write a power shell script something like this in order to set up the new token identifier.
write-host "Adding ADSF Cert"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS\adfs.cer ")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "windowsaccountname" -SameAsIncoming
$map6 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "GroupsId" -SameAsIncoming
$realm = "urn:seo:sharepointMT"
write-host "Setting up STS in SharePoint"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5,$map6 -SignInUrl "https://ADFSServer/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
#This is ADFS Web Serv cert
$certPath = "C:\ADFS\MachineCert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certPath”)
New-SPTrustedRootAuthority “ADFS web server” -Certificate $cert
#This is the cert associated with the server running IIS/SP
$mycert = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2("C:\ADFS\VM55.cer");
New-SPTrustedRootAuthority –Name "IISSSL" –Certificate $mycert;
User Profile Service using ADFS
In order to get this to work, there are a few things that have to be done before synchronizing users.
Here is a list:
- Port 389 has to be opened on network that has ADFS Server running.
- An AD User who has delegate permission/replicate should be created and provided to SP
- Then, you can go to User Profile Service and add new connection and choose ADFS as login method. When you choose ADFS, your STS provider will be listed in a drop down. Choose that. Then, put the user and password of the AD User that was created above to save.
- Finally, start incremental/full import.
I did not find a lot of information on this where ADFS will work in multi-tenancy. In Office 365, it works, but that is on cloud. I started on this after finishing the above 2 big technical blocks. I was able to SUCCESFULLY set up ADFS in a multi-tenant environment.
You may have a scenario where there are 2 Tenants that are connected to different ADFS servers and you only want to display the STS they are mapped to. This can be accomplished by creating a custom login page which has a drop down with the name of STS provider that tenant is mapped. This drop down can be populated in multiple ways.
UPS using ADFS in multi-Tenant
This was the grand daddy of all the above or in other words the cherry on top of this massive technical sundae. I got this to work as well. This was not bad, but the only catch here is that you have to set OU when provisioning tenants. There is a document on Harbar.net that provides details on how you set up OU, but other than that it is fairly similar to dedicated environment. The other noted difference is that you use the UPS of CA, to set up connection and so forth. However, you need to goto Tenant's CA, to see all the users.If you are having difficulties in getting this to work, here is a list of things that you may want to check:
- You should be able successfully login via ADFS.
- Port 389 is open
- User with appropriate permission has been used. (Note: A Farm Admin or System admin will not help)
- Check Fore Front Identity Management for the successes and failures.