Sharepoint server SSO

(1)

43 43 43 43

Configurin

Configuring on-p

g on-p

g on-premise

g on-p

remise

remise Sharepoint server

Sharepoint server

Sharepoint server SSO

SSO

You can now provide single sign-on to your on-premise Sharepoint server applications. This section includes the following topics:

"An overview of configuring Sharepoint server for single sign-on" on page 99-43 "What you need to know about Sharepoint server" on page 99-44

"Configuring Sharepoint server in Cloud Manager" on page 99-45 "Configuring Sharepoint server for SSO" on page 99-50

An overview of config

An overview of configuring

uring

uring Sharepoint server

uring

Sharepoint server

Sharepoint server for single sign-on

for single sign-on

For Sharepoint server, the overall workflow of configuring provisioning is as follows. Configuring Sharepoint server for single sign-on (an overview):

1111 In Cloud Manager, you add and configure the Sharepoint server application.

You enter your Sharepoint application Resource application URL, including the host

name and port, and add /_trust to the end of the URL. For a Sharepoint application that runs on the standard port (80), the URL would look like this:

https://mysharepointserver.domain.com/_trust.

If your Sharepoint application login page has a different URL than the Resource

Application URL, you edit the Advanced script to set the correct log in page. For example, setWctx(‘https://mysharepointserver.domain.com/sites/

mycompany’).

2222 You then configure Sharepoint directly, using the Sharepoint Management Shell and the Sharepoint administrator console.

a You use the Sharepoint Management shell to create the identity token issuer. You use the signing certificate and the sign-in URL from the application settings in Cloud Manager.

b In the Sharepoint administrator console, you upload the root certificate of the signing certificate that you used in the Sharepoint Server application in Cloud Manager.

c In the Sharepoint administrator console, you select Centrify as the Trusted Identity provider for your Sharepoint web application.

(2)

What you need to know about Sharepoint server

Chapter 99 Chapter 99 Chapter 99

Chapter 99 • Configuring on-premise Sharepoint server SSO 44444444

Sharepoint server

Req

Requirements for SSO

Req

uirements for SSO

A signed certificate. You can either download one from Cloud Manager or use your

organization’s trusted certificate. To upload your own certificate to Cloud Manager, you’ll need a certificate and its private key in a .pfx or .p12 file.

Sharepoint 2010 or 2013 A Sharepoint web application

Your Sharepoint web application is configured to use claims-based authentication.

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you need to have the same signing certificate in both the application and the application settings in Cloud Manager.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Cloud Manager. You also upload the public key certificate in a .cer or .pem file to the web application.

To download an application certificate from Cloud Manager (overview): 1111 In the Apps page, add the application.

2222 Click the application to open the application details.

3333 In the Application Settings tab, click Download Signing Certificate to download and save the certificate.

What you need to kn

What you need to know about

ow about

ow about Sharepoint server

ow about

Sharepoint server

Each application is different. Here are the Sharepoint server

features and functionality that you need to know when configuring the application for SSO.

Feature Feature Feature

Feature DescriptionDescriptionDescriptionDescription

Available versions and clients any platform that supports Sharepoint 2010 or Sharepoint 2013, such as mobile apps on iOS and Android, desktop clients on Windows or Mac, web browsers.

SP-initiated SSO works? yes IdP-initiated SSO works? yes Is there a separate login for

administrators after SSO is enabled?

SSO works for the Sharepoint web application.

Sharepoint administrators use a different URL to access the administrator console.

Lockout possibility and how to recover after lockout

(3)

Application Configuration Help 45454545

Configu

Configuring

ring

ring Sharepoint server

ring

Sharepoint server

Sharepoint server in

Sharepoint server

in

in Cloud Manager

Cloud Manager

To add and configure the Sharepoint server application in Cloud Manager: 1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

(4)

Configuring Sharepoint server in Cloud Manager

Chapter 99 • Configuring on-premise Sharepoint server SSO 46464646 7777 Specify the following service provider settings:

8888 These are the identity provider settings:

Option OptionOption

Option Required or Required or Required or Required or optional optional optional optional Set it to Set it to Set it to

Set it to DescriptionDescriptionDescriptionDescription Resource Application URL Required [your Sharepoint server web

application and port

This is the URL that your Sharepoint Web application that accepts the SAML token. This is always

https://<your- sharepoint-web-application-fqdn-and-port>/_trust. This is already preset for you in the default Resource Application URL.

Replace

YOUR.SHAREPOINT.WEB.APP LICATION.FQDN.AND.PORT in the default Resource application URL with your Sharepoint web application’s fully qualified host name and port.

Issuer Required [the cloud service generates a value automatically for you to use, and you can edit it if you need to do so.]

You can specify this to be any value; however, it must be the same value that you specify as the Issuer on the Sharepoint server.

Option OptionOption

Option Set it toSet it toSet it toSet it to DescriptionDescriptionDescriptionDescription

Identity Provider Sign-in URL [this field is not editable] The cloud service automatically generates the content of this field.

You use this URL when you create the identity token issuer for Sharepoint in Sharepoint Management Shell

Identity Provider Sign-out URL [this field is not editable] The cloud service automatically generates the content of this field.

(5)

Application Configuration Help 47474747 9999 On the Application Settings page, expand the Additional Options section and

specify the following settings:

10 10 10

10 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

Security Certificate These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate.

• Use existing certificateUse existing certificateUse existing certificate displays beneath it the certificate currently in Use existing certificate use. The DownloadDownloadDownload button below the certificate name downloads the Download current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO

configuration. It’s not necessary to select this option—it’s present to display current status.

• Use the default tenant signing certificate Use the default tenant signing certificate Use the default tenant signing certificate selects the cloud service Use the default tenant signing certificate standard certificate for use. This is the default setting.

(6)

Configuring Sharepoint server in Cloud Manager

Chapter 99 • Configuring on-premise Sharepoint server SSO 48484848 11

11 11

11 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for

users.

If you select Optional Install, the application doesn’t automatically appear in the

user portal and users have the option to add the application. 12

12 12

12 (Optional) On the Policy page, specify additional authentication control for this application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to

prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

13 13 13

13 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

Everybody shares a single user name: Use this option if you want to share access

to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the cloud service uses

(7)

Application Configuration Help 49494949 14

14 14

14 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. For some Sharepoint web applications, particularly those running on Sharepoint 2010, you may need to modify the setWctx() call in the Advanced script and set it to your Sharepoint application home page, if it’s not just the FQDN and port. For example, https://mysharepoint.server.com/sites/mycompany instead of just https:// mysharepoint.server.com.

On the App Gateway page, you can configure the application so that your users can access it whether they are logging in from an internal or external location. For

applications configured for the App Gateway, users do not have to use a VPN connection to access the application remotely.

Note NoteNote

Note The App Gateway feature is a premium feature and is available only in the Centrify

Identity Service App+ Edition. Please contact your Centrify representative to have the feature enabled for your account.

Note NoteNote

Note Some applications can be used with App Gateway; not all applications are set up to

use this feature. At this time, Web applications may use HTTPS or HTTP, and either the standard port of 443 or a nstandard port. IP addresses are only supported for on-premise apps and are not supported for external-facing apps.

15 15 15

15 (Optional) To enable App Gateway mode, select Make this application available via the internet.

The Centrify identity platform verifies the application settings and displays the URL that you provided in application settings as the internal URL for the application.

16 16 16

16 Specify the external URL that users open to access the application from external locations. You can use an existing external URL or use one that the cloud service generates automatically for you.

If you use an existing external URL, any links to the application URL do not need to change and will continue to work as is. However, you do need to upload an SSL certificate and modify your DNS settings.

To use your existing external URL, select the first option and do the following:

a Enter the existing external URL. You can enter an internal or external URL here. b Click Upload to browse to and upload your SSL certificate with the private key

for the URL that you entered.

The certificate file has either a .PFX or .P12 filename extension.

To use the auto-generated external URL, select the second option. Later, you’ll need

to be sure to notify your users of the updated URL to use. 17

17 17

(8)

Configuring Sharepoint server for SSO

Any available

Select this option to allow the Centrify Identity Service to randomly select one of the available cloud connectors for your App Gateway configuration. Click Test

Connection to make sure the connection between the cloud connector and the application is successful.

Choose

Select this option to specify one or more cloud connectors to use for your App Gateway configuration. If you select more than one cloud connector, the Centrify Identity Service randomly chooses one of the selected cloud connectors to use for the application. Once the configuration is saved, each future App Gateway request uses a random cloud connector from those selected, as long as the cloud connector is online. Once you select the cloud connectors you want to use, click Test Connection to make sure the connection between the selected cloud connectors and the application is successful. At least one cloud connector must succeed in order to save the

configuration.

Note NoteNote

Note If any of the cloud connectors are offline, they are not displayed in the list of

available cloud connectors. 18

18 18

18 Click Save to save the App Gateway changes.

Note NoteNote

Note _{If you configured the application to use an external URL, next you edit your DNS}

settings to accommodate the App Gateway connection to this application. You’ll enter a CNAME record to map this URL to the application’s gateway connection URL. For more information about configuring App Gateway and troubleshooting App Gateway

connection issues, see "Configuring an application to use the App Gateway" on page 3-25 and "Troubleshooting" on page 3-28.

Note NoteNote

Note _{On the Changelog page, you can see recent changes that have been made to the}

application settings, by date, user, and the type of change that was made. 19

19 19

19 Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

Configuring Sharepoint ser

Configuring Sharepoint server for SSO

ver for SSO

When you configure Sharepoint to use the Centrify identity platform as the identity provider, you perform the following tasks:

(9)

Application Configuration Help 51515151

Cloud Manager. (Creating the SPTrustedIdentityTokenIssuer in Sharepoint Management Shell, below.)

b In Sharepoint, specify the new identity token issuer as the authentication provider for your web application. ("Specifying the authentication provider in Sharepoint" on page 99-52.)

c In Sharepoint, you create the trust relationship with the identity provider by uploading the root certificate. ("Creating the established trust relationship in Sharepoint" on page 99-52.)

Creating the SPTrustedIdentityTokenIssuer in Sharepoint Man

Creating the SPTrustedIdentityTokenIssuer in Sharepoint Management Shell

agement Shell

To summarize, you’ll need to run these Sharepoint Management Shell commands, in this order:

a $cert (Creates the certificate) b $map1 (Creates the claim)

c $map2 (Creates the email section of the claim) d $realm (Sets the realm)

e $signinurl (Sets the sign-in URL to the identity provider URL, as listed in the application settings in Cloud Manager.)

f $ap (Creates the SPTrustedIdentityTokenIssuer, with certificate, claims, realm, and sign-in URL.)

To create the SPTrustedIdentityTokenIssuer:

1111 Open a Sharepoint Management Shell window on the computer that hosts your Sharepoint server deployment.

2222 Run the following command to create the certificate in Sharepoint:

$cert = New-Object

System.Security.Cryptography.X509Certificates.X509Certificate2("c:\download\si gning.cer")

Specify the location of the signing certificate that you have specified in the Sharepoint application settings.

3333 Run the following command to create the first claim in Sharepoint:

$map1 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/ identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming 4444 Run the following command to create the second, email address claim in Sharepoint:

$map2 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/emailaddress” -IncomingClaimTypeDisplayName "Email Address" –

SameAsIncoming

5555 Run the following command to create the realm in Sharepoint:

(10)

The realm that you specify here can be anything, but it must match the Issuer field in the Sharepoint application settings.

6666 Run the following command to configure the sign-in URL as the cloud service location:

$signinurl = https://cloud.centrify.com/run?appkey=....

Specify your sign-in URL from the Sharepoint application settings in Cloud Manager. 7777 Run the following command to create the SPTrustedIdentityTokenIssuer:

$ap = New-SPTrustedIdentityTokenIssuer -Name “Centrify" -Description “Centrify IDP" Realm $realm ImportTrustCertificate $cert ClaimsMappings $map1, $map2 -SignInUrl $signinurl -IdentifierClaim $map2.InputClaimType

Enter the Name and Description as desired.

When the command finishes, Sharepoint lists the identity provider as another trusted token issuer. Next, you specify the identity provider for your Sharepoint application.

Specifying the auth

Specifying the authentication provider in Sharepoint

entication provider in Sharepoint

After you’ve created the SPTrustedIdentityTokenIssuer, you can now specify the identity provider by name as the authentication provider for your Sharepoint application.

To set the Centrify identity platformas your identity provider:

1111 In the Sharepoint administrator console, Application Management > Web Applications > Manage web applications.

2222 Click your web application, and then click Authentication Provider. 3333 Select the Claims Based Authentication Provider.

4444 Select Centrify as the Trusted Identity Provider.

Creating the established tru

Creating the established trust relationship in Sharepoint

st relationship in Sharepoint

You need to upload the root certificate to establish the trust relationship. If you’re using a certificate from a public, trusted third-party certificate provider, such as Verisign, you do not need to perform this task.

If you’re using the default signing certificate from the Sharepoint Server application settings page in Cloud Manager, you get the root certificate in Cloud Manager at Settings > Certificates > Download.

To create the trust relationship between Sharepoint and your identity provider:

1111 In the Sharepoint administrator console, go to Security > Managed Trust.

(11)

Application Configuration Help 53535353 4444 Click Browse and select the root certificate.

(12)