With additional configuration, the SAML 2.0 connector for ADFS allows users to single sign-on through SocialAccess to SharePoint as well as ADFS.
This section describes how you can leverage the claims-based single sign-on capabilities of ADFS and SharePoint to set up a hub model of federation through ADFS. In this hub, SocialAccess has a trusted relationship with ADFS as the identity provider, and ADFS has a trusted relationship with SharePoint as a claims-based federation provider. SharePoint accepts the claims-based assertions, and allows users to access federated SharePoint web applications. Using roles for claim-based single sign-on makes it easier for SharePoint site administrators to map role and organization claims to SharePoint groups.
To set up the relationships, you define the roles in the connector for ADFS that ADFS and SharePoint will use for the claims-based single sign-on. The connector adds the role information to the identity information in assertions that it sends to ADFS.
In ADFS, you configure claims rules that look for the email address and role of users, and then transform them for use by SharePoint. ADFS applies rules to the assertions from SocialAccess to transform them into role claims that the SharePoint web applications understand, and sends the role claims to SharePoint.
In SharePoint, you configure its Person Picker to look for the roles in the assertions from ADFS. SharePoint validates the assertion information, stores the information in its token cache, and issues a session cookie for the user. By default, SharePoint sets the session lifetime to be the same as the SAML token lifetime. In ADFS, you can specify the web single sign-on lifetime that determines the lifetime of the session cookie. Typically, the cookie expires when the user closes the browser window.
To set up this claims-based single sign-on federation hub:
The SocialAccess administrator must modify the definition for the connector for ADFS to add two new roles to use for claims-based single sign-on, and then import and configure the modified connector.
The ADFS administrator must configure a connection between SharePoint and ADFS, and define the rules for passing identity and role information from SocialAccess to SharePoint.
The SharePoint administrator must modify the SharePoint People Picker to look for the roles in incoming assertions.
The SharePoint administrator can add users to a SharePoint group based on the users' roles.
Verify that you meet the following requirements:
A SocialAccess appliance, installed and configured.
One server with the following components installed:
Windows Server 2008 (or later) with the latest updates.
Active Directory with the latest updates.
ADFS 2.0 with the latest updates.
A SharePoint 2010 (or later) server with the latest updates, installed in the same domain as the ADFS server.
The SharePoint server should be connected to the ADFS server.
For information about connecting the servers, see the following references in the Microsoft TechNet Library:
Roles enabled within the SharePoint system using PowerShell scripts.
You must modify the definitions in a SAML 2.0 connector for ADFS template file to add roles that will be used when ADFS sends role claims to SharePoint. These instructions create two roles: an administrator role called ADMIN and a user role called USER.
Use the NetIQ Access Connector Toolkit to modify the definitions in the connector for ADFS.
Obtain a copy of the ZIP file for the SAML 2.0 connector for ADFS.
Log in as a SocialAccess administrator to the Access Connector Toolkit at
https://appliance_dns_name/css/toolkit
Click Import, browse to and select the connector’s ZIP file, then click OK.
Click the Display Name link for the connector to open it in the Edit Connector Template window.
Click the Assertions tab, then on the left side of the screen, click the Attributes tab.
Click New, then create a new Role attribute to use for the SharePoint connection.
Define the properties for the Role attribute:
Name: Specify http://schemas.microsoft.com/ws/2008/06/identity/claims/role.
Display Name: Specify Role.
Encoding: Leave this field blank.
Data Owner: Leave this field blank.
Default Value: Leave this field blank.
Required: Select false to make this attribute optional.
Description: Specify A role assigned to the user account.
Role Attribute: Select true, then continue to configure the role definitions.
Under Roles, click New, specify the following information, then click Save.
Name: Specify ADMIN.
Description: Specify Administrator Role.
Under Roles, click New, specify the following information, then click Save.
Name: Specify USER.
Description: Specify User Role.
Add or customize any additional roles that you need for the SharePoint environment, and save each one.
Click Save to save the Role attribute definition.
Click Save to apply the connector template changes.
Click the Export icon next to the Display Name for the connector template.
Save the ZIP file for use on this or another SocialAccess system.
Proceed to Importing the Modified Connector.
After you modify the SAML 2.0 connector for ADFS, you must import the connector into SocialAccess.
Log in as an administrator to the SocialAccess administration console at
https://appliance_dns_name/appliance/index.html
On the Admin page, click the Tools icon on the toolbar, then click Import connector template.
Click Browse, then browse to and select the ZIP file for the modified SAML 2.0 connector for ADFS.
Click Import.
The Applications palette displays the modified SAML 2.0 connector for ADFS.
Proceed to Configuring the Modified Connector.
After you export and import the modified connector, you configure the connector by following the steps in Section 6.2, Configuring the Connector.
After you configure a SAML 2.0 connector for ADFS that supports SharePoint roles, you must modify ADFS and SharePoint to accept these roles. Proceed to Modifying Claims Rules in the ADFS System.
Before you begin, ensure that you have configured a connection between ADFS and SharePoint. In ADFS, you must define the claim rules for incoming assertions from SocialAccess and for outgoing assertions sent to SharePoint.
You must modify the ADFS claim rules between ADFS and SocialAccess. The purpose of these rules is to allow the user’s email address and the role to pass through to SharePoint.
To add claim rules for incoming assertions from SocialAccess:
Log in to your ADFS system.
Access the Claims Provider Trusts for SocialAccess.
Click Edit Claim Rules.
Add two rules using the following information:
Rule 1
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass nameID.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Adding Claims Rules for Transforming Assertions for SharePoint.
You must configure ADFS to map the user’s Email Address to Login on the SharePoint system, and to send the user’s role.
To add claim rules for assertions sent to SharePoint:
In the ADFS console, select Trust Relationships > Relying Party Trusts.
Right-click Name of your SharePoint system, then select Edit Claim Rules.
Add two rules with the following information:
Rule 1
Claim rule template: Select Transform an Incoming Claim.
Claim rule name: Specify NameID to EmailAddress.
Incoming claim type: Specify Name ID.
Incoming name ID format: Specify Email.
Outgoing claim type: Specify E-mail Address.
Pass through all claim values: Select this option.
Rule 2
Claim rule template: Select Pass Through or Filter an Incoming Claim.
Claim rule name: Specify pass Roles.
Incoming claim type: Specify Roles.
Pass through all claim values: Select this option.
Exit the Rule editor.
Proceed to Section 6.4.4, Configuring the SharePoint People Picker to Use the Roles.
The default SharePoint People Picker configuration requires a repository of users and groups for the people picker to search. However, in a claims-based access model, the only information SharePoint has is the claims data associated with the current user’s SAML assertion.
Before you begin, ensure that you have roles enabled within the SharePoint system using PowerShell scripts.
After you complete the ADFS configuration, you must configure the SharePoint option of People Picker to use the roles ADMIN and USER for claims received from ADFS.
Where the SharePoint system grants access, select People Picker.
Under ADFS, select Role.
In the Find box, specify either ADMIN or USER.
This field must contain the name of the role you configure the connector to use in Section 6.4.2, Adding Roles to the SAML 2.0 Connector for ADFS.
Select the role SharePoint returns, then assign the role to the group within SharePoint.
Use the following information if you encounter problems.
Issue: Error: The root of the certificate chain is not a trusted root authority.
Solution: You need to change the SharePoint server certificates. For detailed instructions, see Root Certificate Chain not Trusted.