RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint

Similar documents
RSA SecurID Access SAML Configuration for Datadog

RSA SecurID Access SAML Configuration for StatusPage

RSA SecurID Access SAML Configuration for Kanban Tool

RSA SecurID Access SAML Configuration for Samanage

Cloud Access Manager How to Configure Microsoft SharePoint

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

RSA SecurID Access SAML Configuration for Microsoft Office 365

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Configuration Guide - Single-Sign On for OneDesk

Configuring Alfresco Cloud with ADFS 3.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

DELTA ADFS. As Built for Delta. PlanBcp SharePoint. 13-Oct-15. Information Architecture for Delta ADFS

Configuring Single Sign-on from the VMware Identity Manager Service to Bonusly

Introduction to application management

RSA SecurID Access SAML Configuration for Brainshark

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Add OKTA as an Identity Provider in EAA

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Integrating AirWatch and VMware Identity Manager

Juniper Networks SSL VPN Integration Guide

Using the Terminal Services Gateway Lesson 10

SAML-Based SSO Configuration

Cloud Access Manager Configuration Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Configuring Confluence

Pulse Secure Policy Secure

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

McAfee Cloud Identity Manager

Qualys SAML & Microsoft Active Directory Federation Services Integration

McAfee Cloud Identity Manager

Integrating YuJa Active Learning into ADFS via SAML

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware Identity Manager Administration

Colligo Console. Administrator Guide

Five9 Plus Adapter for Agent Desktop Toolkit

Integrating YuJa Active Learning with ADFS (SAML)

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

SailPoint IdentityIQ 6.4

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

SAML-Based SSO Configuration

McAfee Cloud Identity Manager

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

McAfee Cloud Identity Manager

TACACs+, RADIUS, LDAP, RSA, and SAML

NETOP PORTAL ADFS & AZURE AD INTEGRATION

SAML with ADFS Setup Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

McAfee Cloud Identity Manager

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

McAfee Cloud Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

ADFS Setup (SAML Authentication)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

ADFS Authentication and Configuration January 2017

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

.NET SAML Consumer Value-Added (VAM) Deployment Guide

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Oracle Access Manager Configuration Guide

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Hypersocket SSO. Lee Painter HYPERSOCKET LIMITED Unit 1, Vision Business Centre, Firth Way, Nottingham, NG6 8GF, United Kingdom. Getting Started Guide

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Five9 Plus Adapter for Microsoft Dynamics CRM

Microsoft ADFS Configuration

APM Proxy with Workspace One

Installing and Configuring vcloud Connector

Network Security Essentials

with Access Manager 51.1 What is Supported in This Release?

McAfee Cloud Identity Manager

Pulse Secure Client for Chrome OS

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Secured by RSA Implementation Guide for Software Token Authenticators

Okta Integration Guide for Web Access Management with F5 BIG-IP

Configuring the vrealize Automation Plug-in for ServiceNow

RB Digital Signature Proxy Guide for Reporters

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

VMware AirWatch System Settings Reference Manual for On-Premises Customers A comprehensive listing of AirWatch system settings. AirWatch v9.

D9.2.2 AD FS via SAML2

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Transcription:

RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint Last Modified: October26, 2017 SharePoint is a web application platform in the Microsoft Office server suite. It combines various functions that are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management and an enterprise application store. Before You Begin Acquire administrator accounts for RSA SecurID Access and SharePoint. Verify that you have a SharePoint 2016 web application deployed and configured with SSL enabled in your environment. Consult Microsoft documentation for instructions to configure SSL. Create a site collection for your SharePoint application with Windows authentication enabled. Confirm that you can log in to the site with an end user account. If your SharePoint server uses an uncommon Certificate Authority (CA) for certificate signing, you must use the Administration Console to upload the CA to the IDR. See the RSA SecurID Access help documentation for instructions to upload certificates from trusted Certificate Authorities and for a list of CAs that the IDR trusts out-of-the-box. The instructions in this guide use the following configuration values: Default SharePoint Base URL Relying Party URL Relying Party ID Trusted Token Issuer Identifier Claim Issuer Entity ID IdP URL Relying Party ID 1 Incoming Claim Type https://www.sharepoint2016.com/ https://www.sharepoint2016.com/_trust urn:sharepoint2016:portal.sso3.pe-lab.com SECURID_ACCESS_IDR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress sso3-wsfed-sharepoint2016 https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016 urn:sharepoint2016:portal.sso3.pe-lab.com http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Procedure 1. Add a Microsoft SharePoint WS-Fed Application in RSA SecurID Access 2. Configure Microsoft SharePoint to Use RSA SecurID Access as an Identity Provider 1 aka. default SharePoint Realm. The value of the Relying Party ID in SecurID Access will always be used as the name of the default Realm in SharePoint. 1 Copyright 2016 EMC Corporation. All Rights Reserved.

Add a Microsoft SharePoint WS-Fed Application in RSA SecurID Access 1. Log in to the RSA SecurID Access Administration Console, click the Applications tab and select Application Catalog from the Application tab dropdown list. 2. Search for Microsoft SharePoint WS-Fed in the list of applications and click the +Add button. 3. Enter a name for the application in the Name field and click the Next Step button. 4. Scroll to the SAML Identity Provider section on the Connection Profile page and copy the value from the Identity Provider URL field. Note: The URL in the example below contains a custom Issuer Entity ID, but you may use the auto-generated value if you wish. 5. Scroll to the top of the page and paste the identity provider URL in the Menu URL field. 2 Copyright 2016 EMC Corporation. All Rights Reserved.

6. You must import a private/public key pair to sign and validate SAML assertions. If you don t have one readily available, follow the steps to generate a certificate bundle. Otherwise, continue to step 7. a. Scroll to the SAML Response Signature section and click the Generate Certificate Bundle button. b. In the Common Name (CN) field, enter the hostname of the SharePoint service provider s server that will be sending authentication requests. c. Click the Generate and Download button, save the certificate bundle ZIP file to a secure location and extract its contents. The ZIP file will contain a private key, a public certificate and a certificate signing request. 7. Click the Choose File button on the left of the Generate Certificate Bundle button, locate and select a private key for signing SAML assertions and click the Open button. 8. Click the Choose File button underneath the Generate Certificate Bundle button, locate and select your public certificate and click the Open button. 9. Select the Include Certificate in Outgoing Assertion checkbox. 10. Enter your relying party URL in the Relying Party URL field. This URL is your <SharePoint Root URL>/_trust. The relying party URL in this example is https://www.sharepoint2016.com/_trust. 11. Use the following format to create a unique identifier and enter it in the Relying Party ID field: urn :<string 1>:<string 2>. You may choose any values for <string 1> and <string 2>. You will use the value as your SharePoint realm name. The relying party ID in this example is urn:sharepoint2016:portal.sso3.pe-lab.com. 3 Copyright 2016 EMC Corporation. All Rights Reserved.

12. Decide which claim type(s) you will use to identify an authenticated user. This example uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. See the following URL for information about claims-based identity. https://dev.office.com/sharepoint/docs/general-development/claims-based-identityterm-definitions. 13. Select Identity Source from the Attribute Source dropdown list in the Attribute Extension section. 14. In the Attribute Name field, enter the attribute name that corresponds to your claim. The attribute name in this example is emailaddress. 15. Select the name of your user identity source from the Identity Source dropdown list. In this example, user accounts are stored in an identity source named AD20. 16. From the Property dropdown list, select the attribute name your identity store uses to store the value that corresponds to your claim type. In this example, the identity source s mail attribute will be used to uniquely identify a user in SAML assertions. 17. Click the Next Step button. 18. On the User Access page, select the access policy the identity router will use to determine which users can access the SharePoint service provider from the portal. If you want to allow access to all users who are signed in to the portal, select the Allow All Authenticated Users radio button. Otherwise, select the Select Custom Policy radio button and select the policy you want to use from the dropdown list. 19. Click the Next Step button. 4 Copyright 2016 EMC Corporation. All Rights Reserved.

20. Select the Display in Portal checkbox on the Portal Display page. 21. Click the Save and Finish button. 22. Click the Publish Changes button at the top of the page. 5 Copyright 2016 EMC Corporation. All Rights Reserved.

Configure SharePoint to Use RSA SecurID Access as an IdP Important: The instructions below assume that you have created and configured the SharePoint web application(s) and corresponding site collection(s) that you plan to integrate with RSA SecurID Access and that you can log in to each site with an end user account. This section is divided into the following three subsections.. 1. Create a Trusted Identity Token Issuer for RSA SecurID Access 2. Permit Additional SharePoint Web Applications to Use RSA SecurID Access 3. Configure a SharePoint Web Application to Use the RSA SecurID Access Token Issuer The first section is mandatory, but you can skip the second section if you only want to authorize the default SharePoint web application to use RSA SecurID Access. Otherwise, follow the instructions in the second section to for each additional web application you want to authorize. Complete the instructions in the third section to enable RSA SecurID Access authentication, create authentication policies and configure site permissions for one or more of the SharePoint web applications you authorized. Important: When you first create a SharePoint Trusted Identity Token issuer, only the default SharePoint web application will be permitted to use it. However, you can easily make it available to additional SharePoint web applications. Create a Trusted Identity Token Issuer for RSA SecurID Access Follow the steps below to create a SharePoint Trusted Identity Token issuer for RSA SecurID Access and make it available for the default SharePoint web application and site collections to use as an authentication provider. 1. Log into your SharePoint server host and open the SharePoint Management Shell. 2. Create a root certificate object using the signing certificate you downloaded from SecurID Access and copied to your SharePoint server. Replace c:\certs\root.cer with the path and name of your signing certificate. $root_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\certs\root.cer") 3. Create a trusted root authority for your token issuer and set the root certificate. Replace portal.sso3.e-lab.com with the name you want to give to your trusted root authority. New-SPTrustedRootAuthority -Name "portal.sso3.pe-lab.com" -Certificate $root_cert 6 Copyright 2016 EMC Corporation. All Rights Reserved.

4. Enter the command below to create (a) claim type(s) mapping (s). Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL (s). See the following URL for information about claims-based identity. https://dev.office.com/sharepoint/docs/general-development/claims-based-identityterm-definitions. $email_claim = New-SPClaimTypeMapping IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email Address" SameAsIncoming 5. Enter the command below to create a variable to hold the name of your realm. You must set this value to the Relying Party ID you choose in the previous section. Replace urn:sharepoint2016:portal.sso3.pe-lab.com with the relying party ID. $realm = "urn:sharepoint2016:portal.sso3.pe-lab.com" 6. Enter the New-SPTrustedIdentityTokenIssuer command below to create a token issuer. a. Replace SECURID_ACCESS_IDR with a unique name to identify your token issuer. b. Replace portal.sso3.pe-lab.com-idrwith a description of the issuer. c. Replace https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfedsharepoint2016& with your Identity Provider URL followed by an ampersand (&). d. Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL. $issuer = New-SPTrustedIdentityTokenIssuer -Name "SECURID_ACCESS_IDR" Description "portal.sso3.pe-lab.com-idr" -realm $realm -ImportTrustCertificate $root_cert -ClaimsMappings $email_claim -SignInUrl "https://portal.sso3.pelab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016&" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Important: You must set the New-SPTrustedIdentityTokenIssuer command s SignInUrl parameter to your IdP URL with an & appended to the end of it. Our IdP URL is https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016, so we set the SignInUrl to https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016& in the command above. For second example, if your IdP URL is https://my.portal.com/idpservlet?idp_id=myid, then you would set the SignInUrl parameter to https://my.portal.com/idpservlet?idp_id=myid&. 7. If you want to permit additional SharePoint web applications to use RSA SecurID Access, follow the instructions in the next section. Otherwise skip to the last section to enable RSA SecurID Access authentication on the default SharePoint application. 7 Copyright 2016 EMC Corporation. All Rights Reserved.

Permit Additional SharePoint Web Applications to Use RSA SecurID Access Note: Your default SharePoint web application is now authorized to use the token issuer you created. If you want to authorize (an) additional Sharepoint web application(s), follow the instructions below. Otherwise, continue to the next section. You can use a Trusted Identity Token Issuer to protect multiple SharePoint web applications by mapping each application to a unique identifier know as a realm. You set the first realm name when you create a token issuer. The issuer uses this realm to identify the default SharePoint application. In order to register an additional SharePoint web application with the issuer, you must explicitly map its base URL to a new realm name. See this link for full details https://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx#plansaml. Suppose you want to create a SharePoint web application exclusively for your Sales Department and then use the RSA SecurID SharePoint token issuer to protect it. You would first complete the steps below to create the application and authorize it to use the token issuer. You would then complete the steps in the next section to enable the issuer as an authentication provider on the new web application. The example uses the token issuer from the previous section (SECURID_ACCESS_IDR) and these additional configuration values: SharePoint Sales Department Web Application Base URL Sales Department Web Application Realm Name https://www.sharepoint2016.com:44331 urn:sharepoint2016:sales-sites 1. Create and configure a web application and site collection(s) for the Sales Department. 2. Choose a unique realm name for the application. The realm name used in this example is urn:sharepoint2016:sales-sites. Note: The realm name must be unique and formatted as follows: urn :<string 1>:<string 2> Choose any values for <string 1> and <string 2>. They are arbitrary. 3. Log in to your SharePoint server host, open the SharePoint Management Shell and enter the following command retrieve your token issuer. Replace SECURID_ACCESS_IDR with the name you gave to your token issuer. $issuer = Get-SPTrustedIdentityTokenIssuer "SECURID_ACCESS_IDR") 4. Enter the command below to save your web application URL to a variable. Replace https://www.sharepoint2016.com:44331 with your web application s base URL. $app_url = New-Object System.Uri("https://www.sharepoint2016.com:44331") 5. Enter the command below to save the realm name to a variable. Replace urn:sharepoint2016:portal.sso3.pe-lab.com with the realm name you chose. $app_realm = "urn:sharepoint2016:sales-sites" 6. Enter the following two commands to map the web application URL to the realm name. $issuer.providerrealms.add($app_url, $app_realm) $issuer.update() The application is now authorized to use the token issuer as a authentication provider. Continue to the next section to enable it on the application and set end user permissions. 8 Copyright 2016 EMC Corporation. All Rights Reserved.

Configure a SharePoint Web Application to Use the RSA SecurID Access Token Issuer 1. Open SharePoint Central Administration and click the Manage web applications link. 2. Highlight the web application you want to configure and click the Authentication Providers button. 3. Click the Default link on the Authentication Providers dialog box. 4. Confirm that the Integrated windows Integration checkbox is checked and that NTLM is selected in the dropdown list. 9 Copyright 2016 EMC Corporation. All Rights Reserved.

5. Check the Trusted Identity Provider checkbox. 6. Check the checkbox for the for the token issuer name you chose above. 7. Click the Save button. 8. Log into the SharePoint site as an administrator. 9. Click the gear icon to the right of the System Account menu and click the Site settings menu item 10. Click the Site permissions link in the Users and Permissions section of the Site Settings page. 11. Click the Grant Permissions button at the top of the page. 10 Copyright 2016 EMC Corporation. All Rights Reserved.

12. Enter your token issuer name in the list. 13. Select the appropriate group/permission level from the dropdown based on your requirements and click the Share button. 11 Copyright 2016 EMC Corporation. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback