With additional configuration, the connector for ADFS (SAML 2.0 or WS-Federation) allows users to single sign-on to SharePoint as well as ADFS.
Verify that you meet the following requirements:
One server with the following components installed:
Windows Server 2008 with the latest updates.
Active Directory with the latest updates.
ADFS 2.0 with the latest updates.
The SharePoint server connected to the ADFS server. Follow these instructions to connect the servers: How to Configure ADFS v 2.0 in SharePoint Server 2010.
Roles enabled within the SharePoint system using PowerShell scripts.
A CloudAccess appliance installed and configured.
Use the NetIQ Access Connector Toolkit to modify the definitions in the connector for ADFS.
Obtain a copy of the ZIP file for the connector for ADFS.
Log in as a CloudAccess administrator to the Access Connector Toolkit at
https://appliance_dns_name/css/toolkit
Click Import, browse to and select the connector’s ZIP file, then click OK.
Click the Display Name link for the connector to open it in the Edit Connector Template window.
Click the Assertions tab, then on the left side of the screen, click the Attributes tab.
Click New, then create a new Role attribute to use for the SharePoint connection.
Define the properties for the Role attribute:
Name: Specify http://schemas.microsoft.com/ws/2008/06/identity/claims/role.
Display Name: Specify Role.
Encoding: Leave this field blank.
Data Owner: Leave this field blank.
Default Value: Leave this field blank.
Required: Select false to make this attribute optional.
Description: Specify A role assigned to the user account.
Role Attribute: Select true, then continue to configure the role definitions.
Under Roles, click New, specify the following information, then click Save.
Name: Specify ADMIN.
Description: Specify Administrator Role.
Under Roles, click New, specify the following information, then click Save.
Name: Specify USER.
Description: Specify User Role.
Add or customize any additional roles that you need for the SharePoint environment, and save each one.
Click Save to save the Role attribute definition.
Click Save to apply the connector template changes.
Click the Export icon next to the Display Name for the connector template.
Save the ZIP file for use on this or another CloudAccess system.
Proceed to Section 14.4.3, Importing the Modified Connector.
After you modify the connector for ADFS, you must import the connector into CloudAccess.
Log in as an administrator to the CloudAccess administration console at
https://appliance_dns_name/appliance/index.html
On the Admin page, click the Tools icon on the toolbar, then click Import connector template.
Click Browse, then browse to and select the ZIP file for the modified connector for ADFS.
Click Import.
The Applications palette displays the modified connector for ADFS.
Proceed to Section 14.4.4, Configuring the Modified Connector.
After you export and import the modified connector, you configure the connector by following the steps in Section 14.3, Configuring the Single Sign-on Connector.
After you configure a connector for ADFS that supports SharePoint roles, you must modify ADFS and SharePoint to accept these roles. Proceed to Section 14.4.5, Modifying Claim Rules in the ADFS System.
You must add ADFS claim rules between the CloudAccess appliance and ADFS. The purpose of these rules is to allow the user’s email address and the role to pass through to SharePoint.
To modify the claim rules:
Log in to your ADFS system.
Access the Claims Provider Trusts for the appliance.
Click Edit Claim Rules.
Add two rules in the Add Rule window using the following information:
Rule 1
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass nameID.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Section 14.4.6, Configuring ADFS to Send SharePoint the Claim Rules.
The following steps map Email Address to Login on the SharePoint system, and send the user’s role. You have to perform these steps only once.
To send SharePoint the claim rules:
In the ADFS 2.0 console, click Trust Relationships > Relying Party Trusts.
Right-click Name of your SharePoint system, then select Edit Claim Rules.
Create two rules with the following information:
Rule 1
Claim rule template: Select Transform an Incoming Claim.
Claim rule name: Specify NameID to EmailAddress.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Outgoing claim type: Specify E-mail Address.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Section 14.4.7, Configuring People Picker to Specify the Roles.
The default SharePoint People Picker configuration requires a repository of users and groups for the people picker to search. However, in a claims-based access model, the only information SharePoint has is the claims data associated with the current user’s SAML or WS-Federation assertion.
After you complete the ADFS configuration, you must configure the SharePoint 2010 option of People Picker to use the roles ADMIN and USER for claims received from ADFS. Before you begin, ensure that you have roles enabled within the SharePoint system.
To configure the People Picker:
Where the SharePoint 2010 system grants access, select People Picker.
Under ADFS, select Role.
In the Find field, specify either ADMIN or USER.
This field must contain the name of the role you configure the connector to use in Section 14.4.2, Modifying the Connector for ADFS Template.
Select the role that SharePoint returns, then assign the role to the group within SharePoint.