Configuring on-premise Sharepoint server SSO



Similar documents
Sharepoint server SSO

Configuring SuccessFactors

Connected Data. Connected Data requirements for SSO

Configuring. SuccessFactors. Chapter 67

Configuring. SugarCRM. Chapter 121

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

SAML single sign-on configuration overview

Configuring Salesforce

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring Parature Self-Service Portal

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

SAP NetWeaver AS Java

Configuring. Moodle. Chapter 82

SAML single sign-on configuration overview

Creating a generic user-password application profile

McAfee Cloud Identity Manager

Office 365 deployment checklists

Office 365 deploym. ployment checklists. Chapter 27

Centrify Cloud Management Suite

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Google Apps Deployment Guide

McAfee Cloud Identity Manager

IIS, FTP Server and Windows

Configuring an ios App Store application

Generating an Apple Enterprise MDM Certificate

An Overview of Samsung KNOX Active Directory-based Single Sign-On

AVG Business SSO Partner Getting Started Guide

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Cloud Authentication. Getting Started Guide. Version

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

VMware Identity Manager Administration

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Cloud Services MDM. Control Panel Provisioning Guide

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

OneLogin Integration User Guide

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Getting Started with TRITON Mobile Security

Security Assertion Markup Language (SAML) Site Manager Setup

Setting Up Resources in VMware Identity Manager

APNS Certificate generating and installation

Managing policies. Chapter 7

Guide for Generating. Apple Push Notification Service Certificate

User-password application scripting guide

Administering Jive Mobile Apps

Quick Start Guide. Installation and Setup

McAfee Cloud Identity Manager

Centrify Mobile Authentication Services

SAML application scripting guide

Microsoft Office 365 Using SAML Integration Guide

McAfee Cloud Identity Manager

Defender Token Deployment System Quick Start Guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Using Internet or Windows Explorer to Upload Your Site

Configure Single Sign on Between Domino and WPS

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

Centrify Mobile Authentication Services for Samsung KNOX

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

HarePoint Workflow Extensions for Office 365. Quick Start Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

SchoolBooking SSO Integration Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

ADFS Integration Guidelines

Managing users. Account sources. Chapter 1

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Single Sign On for ShareFile with NetScaler. Deployment Guide

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

NSi Mobile Installation Guide. Version 6.2

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

McAfee Cloud Single Sign On

Centrify Cloud Connector Deployment Guide

Siteminder Integration Guide

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

WatchDox SharePoint Beta Guide. Application Version 1.0.0

Configuring the Samsung SDS CellWe EMM cloud connector

FileMaker Server 15. Getting Started Guide

Flexible Identity Federation

Technical Support Set-up Procedure

Copyright Pivotal Software Inc, of 10

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

CA Performance Center

WatchDox for Mac User Guide

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Work with PassKey Manager

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

VMware Identity Manager Administration

Administrator Guide. v 11

Windows Intune Walkthrough: Windows Phone 8 Management

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

AVG Business SSO Connecting to Active Directory

Transcription:

Chapter 112 Configuring on-premise Sharepoint server SSO You can now provide single sign-on to your on-premise Sharepoint server applications. This section includes the following topics: "An overview of configuring Sharepoint server for single sign-on" on page 112-958 "What you need to know about Sharepoint server" on page 112-959 "Configuring Sharepoint server in Admin Portal" on page 112-960 "Configuring Sharepoint server for SSO" on page 112-964 An overview of configuring Sharepoint server for single sign-on For Sharepoint server, the overall workflow of configuring provisioning is as follows. Configuring Sharepoint server for single sign-on (an overview): 1 In Admin Portal, you add and configure the Sharepoint server application. You enter your Sharepoint application Resource application URL, including the host name and port, and add /_trust to the end of the URL. For a Sharepoint application that runs on the standard port (80), the URL would look like this: https://mysharepointserver.domain.com/_trust. If your Sharepoint application login page has a different URL than the Resource Application URL, you edit the Advanced script to set the correct log in page. For example, setwctx( https://mysharepointserver.domain.com/sites/ mycompany ). 2 You then configure Sharepoint directly, using the Sharepoint Management Shell and the Sharepoint administrator console. a b c You use the Sharepoint Management shell to create the identity token issuer. You use the signing certificate and the sign-in URL from the application settings in Admin Portal. In the Sharepoint administrator console, you upload the root certificate of the signing certificate that you used in the Sharepoint Server application in Admin Portal. In the Sharepoint administrator console, you select Centrify as the Trusted Identity provider for your Sharepoint web application. 958

What you need to know about Sharepoint server 3 You test the configuration to make sure that SSO works as intended. Sharepoint server Requirements for SSO A signed certificate. You can either download one from Admin Portal or use your organization s trusted certificate. To upload your own certificate to Admin Portal, you ll need a certificate and its private key in a.pfx or.p12 file. Sharepoint 2010 or 2013 A Sharepoint web application Your Sharepoint web application is configured to use claims-based authentication. Setting up the certificates for SSO To establish a trusted connection between the web application and the cloud service, you need to have the same signing certificate in both the application and the application settings in Admin Portal. If you use your own certificate, you upload the signing certificate and its private key in a.pfx or.p12 file to the application settings in Admin Portal. You also upload the public key certificate in a.cer or.pem file to the web application. To download an application certificate from Admin Portal (overview): 1 In the Apps page, add the application. 2 Click the application to open the application details. 3 In the Application Settings tab, click Download Signing Certificate to download and save the certificate. What you need to know about Sharepoint server Each application is different. Here are the Sharepoint server features and functionality that you need to know when configuring the application for SSO. Feature Available versions and clients SP-initiated SSO works? IdP-initiated SSO works? Description any platform that supports Sharepoint 2010 or Sharepoint 2013, such as mobile apps on ios and Android, desktop clients on Windows or Mac, web browsers. yes yes Chapter 112 Configuring on-premise Sharepoint server SSO 959

Configuring Sharepoint server in Admin Portal Feature Is there a separate login for administrators after SSO is enabled? Lockout possibility and how to recover after lockout Description SSO works for the Sharepoint web application. Sharepoint administrators use a different URL to access the administrator console. No lockout possibility. Configuring Sharepoint server in Admin Portal To add and configure the Sharepoint server application in Admin Portal: 1 In Admin Portal, click Apps. 2 Click Add Web Apps. The Add Web Apps screen appears. 3 On the Search tab, enter the partial or full application name in the Search field and click the search icon. 4 Next to the application, click Add. 5 In the Add Web App screen, click Yes to confirm. Admin Portal adds the application. 6 Click Close to exit the Application Catalog. The application that you just added opens to the Application Settings page. Admin Portal user s guide 960

Configuring Sharepoint server in Admin Portal 7 Specify the following service provider settings: Option Required or optional 8 These are the identity provider settings: Set it to Resource Application URL Required [your Sharepoint server web application and port Issuer Required [the cloud service generates a value automatically for you to use, and you can edit it if you need to do so.] Description This is the URL that your Sharepoint Web application that accepts the SAML token. This is always https://<yoursharepoint-web-applicationfqdn-and-port>/_trust. This is already preset for you in the default Resource Application URL. Replace YOUR.SHAREPOINT.WEB.APP LICATION.FQDN.AND.PORT in the default Resource application URL with your Sharepoint web application s fully qualified host name and port. You can specify this to be any value; however, it must be the same value that you specify as the Issuer on the Sharepoint server. Option Set it to Description Identity Provider Sign-in URL Identity Provider Sign-out URL [this field is not editable] The cloud service automatically generates the content of this field. You use this URL when you create the identity token issuer for Sharepoint in Sharepoint Management Shell [this field is not editable] The cloud service automatically generates the content of this field. You can use this URL to specify that users are logged out of the user portal when they log out of Sharepoint server. Chapter 112 Configuring on-premise Sharepoint server SSO 961

Configuring Sharepoint server in Admin Portal 9 On the Application Settings page, expand the Additional Options section and specify the following settings: Option Application ID Show in User app list Security Certificate Description Configure this field if you are deploying a mobile application that uses the Samsung mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following: The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field. There can only be one SAML application deployed with the name used by the mobile application. The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Select Show in User app list to display this web application in the user portal. (This option is selected by default.) If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won t display for users in the user portal. These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate. Use existing certificate displays beneath it the certificate currently in use. The Download button below the certificate name downloads the current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO configuration. It s not necessary to select this option it s present to display current status. Use the default tenant signing certificate selects the cloud service standard certificate for use. This is the default setting. Use a certificate with a private key (pfx file) from your local storage selects any certificate you want to supply, typically your organization s own certificate. To use this selection, you must click Browse to upload an archive file (.p12 or.pfx extension) that contains the certificate along with its private key. If the file has a password, you must enter it when prompted. 10 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified. Admin Portal user s guide 962

Configuring Sharepoint server in Admin Portal The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal. 11 On the User Access page, select the role(s) that represent the users and groups that have access to the application. When assigning an application to a role, select either Automatic Install or Optional Install: Select Automatic Install for applications that you want to appear automatically for users. If you select Optional Install, the application doesn t automatically appear in the user portal and users have the option to add the application. 12 (Optional) On the Policy page, specify additional authentication control for this application.you can select one or both of the following settings: Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range. Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript. 13 On the Account Mapping page, configure how the login information is mapped to the application s user accounts. The options are as follows: Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userprincipalname or a similar field from the Samsung KNOX EMM user service. Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account. Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script: LoginUser.Username = LoginUser.Get('mail')+'.ad'; The above script instructs the cloud service to set the login user name to the user s mail attribute value in Active Directory and add.ad to the end. So, if the user s mail Chapter 112 Configuring on-premise Sharepoint server SSO 963

Configuring Sharepoint server for SSO attribute value is Adele.Darwin@acme.com then the cloud service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting guide. 14 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. For some Sharepoint web applications, particularly those running on Sharepoint 2010, you may need to modify the setwctx() call in the Advanced script and set it to your Sharepoint application home page, if it s not just the FQDN and port. For example, https://mysharepoint.server.com/sites/mycompany instead of just https:// mysharepoint.server.com. Note On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made. 15 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Samsung KNOX EMM User Suite App+ Edition. See Configuring Workflow for more information. 16 Click Save. After configuring the application settings (including the role assignment) and the application s web site, you re ready for users to launch the application from the user portal. Configuring Sharepoint server for SSO When you configure Sharepoint to use the Samsung cloud service as the identity provider, you perform the following tasks: a b c Using Sharepoint Management Shell, you create the identity token issuer, using the signing certificate sign-in URL from the Sharepoint server application settings in Admin Portal. (Creating the SPTrustedIdentityTokenIssuer in Sharepoint Management Shell, below.) In Sharepoint, specify the new identity token issuer as the authentication provider for your web application. ("Specifying the authentication provider in Sharepoint" on page 112-966.) In Sharepoint, you create the trust relationship with the identity provider by uploading the root certificate. ("Creating the established trust relationship in Sharepoint" on page 112-966.) Admin Portal user s guide 964

Configuring Sharepoint server for SSO Creating the SPTrustedIdentityTokenIssuer in Sharepoint Management Shell To summarize, you ll need to run these Sharepoint Management Shell commands, in this order: a b c d e f $cert (Creates the certificate) $map1 (Creates the claim) $map2 (Creates the email section of the claim) $realm (Sets the realm) $signinurl (Sets the sign-in URL to the identity provider URL, as listed in the application settings in Admin Portal.) $ap (Creates the SPTrustedIdentityTokenIssuer, with certificate, claims, realm, and sign-in URL.) To create the SPTrustedIdentityTokenIssuer: 1 Open a Sharepoint Management Shell window on the computer that hosts your Sharepoint server deployment. 2 Run the following command to create the certificate in Sharepoint: $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\download\si gning.cer") Specify the location of the signing certificate that you have specified in the Sharepoint application settings. 3 Run the following command to create the first claim in Sharepoint: $map1 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/ identity/claims/role" -IncomingClaimTypeDisplayName "Role" SameAsIncoming 4 Run the following command to create the second, email address claim in Sharepoint: $map2 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/emailaddress -IncomingClaimTypeDisplayName "Email Address" SameAsIncoming 5 Run the following command to create the realm in Sharepoint: $realm = "urn:sharepoint:mysharepoint" The realm that you specify here can be anything, but it must match the Issuer field in the Sharepoint application settings. 6 Run the following command to configure the sign-in URL as the cloud service location: $signinurl = https://cloud.centrify.com/run?appkey=... Specify your sign-in URL from the Sharepoint application settings in Admin Portal. 7 Run the following command to create the SPTrustedIdentityTokenIssuer: Chapter 112 Configuring on-premise Sharepoint server SSO 965

Configuring Sharepoint server for SSO $ap = New-SPTrustedIdentityTokenIssuer -Name Samsung" -Description Samsung IDP" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2 - SignInUrl $signinurl -IdentifierClaim $map2.inputclaimtype Enter the Name and Description as desired. When the command finishes, Sharepoint lists the identity provider as another trusted token issuer. Next, you specify the identity provider for your Sharepoint application. Specifying the authentication provider in Sharepoint After you ve created the SPTrustedIdentityTokenIssuer, you can now specify the identity provider by name as the authentication provider for your Sharepoint application. To set the Samsung cloud service as your identity provider: 1 In the Sharepoint administrator console, Application Management > Web Applications > Manage web applications. 2 Click your web application, and then click Authentication Provider. 3 Select the Claims Based Authentication Provider. 4 Select Centrify as the Trusted Identity Provider. Creating the established trust relationship in Sharepoint You need to upload the root certificate to establish the trust relationship. If you re using a certificate from a public, trusted third-party certificate provider, such as Verisign, you do not need to perform this task. If you re using the default signing certificate from the Sharepoint Server application settings page in Admin Portal, you get the root certificate in Admin Portal at Settings > Certificates > Download. To create the trust relationship between Sharepoint and your identity provider: 1 In the Sharepoint administrator console, go to Security > Managed Trust. 2 Click the trusted identity provider that you ve created. For example, click Centrify. 3 In the toolbar, click Edit. 4 Click Browse and select the root certificate. 5 Click OK to save the changes. Admin Portal user s guide 966

Configuring Sharepoint server for SSO Chapter 112 Configuring on-premise Sharepoint server SSO 967

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information