With additional configuration, the WS-Federation connector for ADFS allows users to single sign-on through CloudAccess to SharePoint as well as ADFS.
This section describes how you can leverage the claims-based single sign-on capabilities of ADFS and SharePoint to set up a hub model of federation through ADFS. In this hub, CloudAccess has a trusted relationship with ADFS as the identity provider, and ADFS has a trusted relationship with SharePoint as a claims-based federation provider. SharePoint accepts the claims-based assertions, and allows users to access federated SharePoint web applications. Using roles for claim-based single sign-on makes it easier for SharePoint site administrators to map role and organization claims to SharePoint groups.
To set up the relationships, you define the roles in the connector for ADFS that ADFS and SharePoint will use for the claims-based single sign-on. The connector adds the role information to the identity information in assertions that it sends to ADFS.
In ADFS, you configure claims rules that look for the email address and role of users, and then transform them for use by SharePoint. ADFS applies rules to the assertions from CloudAccess to transform them into role claims that the SharePoint web applications understand, and sends the role claims to SharePoint.
In SharePoint, you configure its Person Picker to look for the roles in the assertions from ADFS. SharePoint validates the assertion information, stores the information in its token cache, and issues a session cookie for the user. By default, SharePoint sets the session lifetime to be the same as the token lifetime. In ADFS, you can specify the web single sign-on lifetime that determines the lifetime of the session cookie. Typically, the cookie expires when the user closes the browser window.
To set up this claims-based single sign-on federation hub:
The CloudAccess administrator must modify the definition for the connector for ADFS to add two new roles to use for claims-based single sign-on, and then import and configure the modified connector.
The ADFS administrator must configure a connection between SharePoint and ADFS, and define the rules for passing identity and role information from CloudAccess to SharePoint.
The SharePoint administrator must modify the SharePoint People Picker to look for the roles in incoming assertions.
The SharePoint administrator can add users to a SharePoint group based on the users' roles.
Use the following information to set up a federation relationship between SharePoint and CloudAccess that uses ADFS as a federation provider for SharePoint.
Verify that you meet the following requirements:
A CloudAccess appliance, installed and configured.
One server with the following components installed:
Windows Server 2008 (or later) with the latest updates.
Active Directory with the latest updates.
ADFS 2.0 with the latest updates.
SharePoint 2010 (or later) server with the latest updates, installed in the same domain as the ADFS server.
The SharePoint server should be connected to the ADFS server.
For information about connecting the servers, see the following references in the Microsoft TechNet Library:
Roles enabled within the SharePoint system using PowerShell scripts.
You must modify the definitions in a WS-Federation connector for ADFS template file to add roles that will be used when ADFS sends role claims to SharePoint. These instructions create two roles: an administrator role called ADMIN and a user role called USER.
Use the NetIQ Access Connector Toolkit to modify the definitions in the connector for ADFS.
Obtain a copy of the ZIP file for the WS-Federation connector for ADFS.
Log in as a CloudAccess administrator to the Access Connector Toolkit at:
https://appliance_dns_name/css/toolkit
Click Import, browse to and select the connector’s ZIP file, then click OK.
Click the Display Name link for the connector to open it in the Edit Connector Template window.
Click the Assertions tab, then on the left side of the screen, click the Attributes tab.
Click Pre-defined, then select Role.
Under Roles, click New, specify the following information, then click Save.
Name: Specify ADMIN.
Description: Specify Administrator Role.
Under Roles, click New, specify the following information, then click Save.
Name: Specify USER.
Description: Specify User Role.
Click Save to save the Role attribute definition.
Add or customize any additional roles that you need for the SharePoint environment, and save each one.
Click Save to save the Role attribute definition.
Click Save to apply the connector template changes.
Click the Export icon next to the Display Name for the connector template.
Save the ZIP file for use on this or another CloudAccess system.
Proceed to Importing the Modified Connector.
After you modify the WS-Federation connector for ADFS, you must import the connector into CloudAccess.
Log in as an administrator to the CloudAccess administration console at
https://appliance_dns_name/appliance/index.html
On the Admin page, click the Tools icon on the toolbar, then click Import connector template.
Click Browse, then browse to and select the ZIP file for the modified WS-Federation connector for ADFS.
Click Import.
The Applications palette displays the modified WS-Federation connector for ADFS.
Proceed to Configuring the Modified Connector.
After you export and import the modified connector, you configure the connector by following the steps in Section 14.2, Configuring the Connector.
After you configure a WS-Federation connector for ADFS that supports SharePoint roles, you must modify ADFS and SharePoint to accept these roles. Proceed to Section 14.4.3, Modifying Claims Rules in the ADFS System.
Before you begin, ensure that you have configured a connection between ADFS and SharePoint. In ADFS, you must define the claim rules for incoming assertions from CloudAccess and for outgoing assertions sent to SharePoint.
You must add ADFS claim rules between ADFS and CloudAccess. The purpose of these rules is to allow the user’s email address and the role to pass through to SharePoint.
Log in to your ADFS system.
Access the Claims Provider Trusts for CloudAccess.
Click Edit Claim Rules.
Add two rules using the following information:
Rule 1
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass nameID.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Adding Claims Rules for Transforming Assertions for SharePoint.
You must configure ADFS to map the user’s Email Address to Login on the SharePoint system, and to send the user’s role.
In the ADFS 2.0 console, click Trust Relationships > Relying Party Trusts.
Right-click Name of your SharePoint system, then select Edit Claim Rules.
Add two rules with the following information:
Rule 1
Claim rule template: Select Transform an Incoming Claim.
Claim rule name: Specify NameID to EmailAddress.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Outgoing claim type: Specify E-mail Address.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Section 14.4.4, Configuring the SharePoint People Picker to Use the Roles.
The default SharePoint People Picker configuration requires a repository of users and groups for the people picker to search. However, in a claims-based access model, the only information SharePoint has is the claims data associated with the current user’s WS-Federation assertion.
Before you begin, ensure that you have roles enabled within the SharePoint system using PowerShell scripts.
After you complete the ADFS configuration, you must configure the SharePoint option of People Picker to use the roles ADMIN and USER for claims received from ADFS.
Where the SharePoint system grants access, select People Picker.
Under ADFS, select Role.
In the Find field, specify either ADMIN or USER.
This field must contain the name of the role you configure the connector to use in Section 14.4.2, Adding Roles to the WS-Federation Connector for ADFS.
Select the role SharePoint returns, then assign the role to the group within SharePoint.
Use the following information if you encounter problems.
Issue: Error: The root of the certificate chain is not a trusted root authority.
Solution: You need to change the SharePoint server certificates. For detailed instructions, see Root Certificate Chain not Trusted.