RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint Last Modified: October26, 2017 SharePoint is a web application platform in the Microsoft Office server suite. It combines various functions that are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management and an enterprise application store. Before You Begin Acquire administrator accounts for RSA SecurID Access and SharePoint. Verify that you have a SharePoint 2016 web application deployed and configured with SSL enabled in your environment. Consult Microsoft documentation for instructions to configure SSL. Create a site collection for your SharePoint application with Windows authentication enabled. Confirm that you can log in to the site with an end user account. If your SharePoint server uses an uncommon Certificate Authority (CA) for certificate signing, you must use the Administration Console to upload the CA to the IDR. See the RSA SecurID Access help documentation for instructions to upload certificates from trusted Certificate Authorities and for a list of CAs that the IDR trusts out-of-the-box. The instructions in this guide use the following configuration values: Default SharePoint Base URL Relying Party URL Relying Party ID Trusted Token Issuer Identifier Claim Issuer Entity ID IdP URL Relying Party ID 1 Incoming Claim Type https://www.sharepoint2016.com/ https://www.sharepoint2016.com/_trust urn:sharepoint2016:portal.sso3.pe-lab.com SECURID_ACCESS_IDR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress sso3-wsfed-sharepoint2016 https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016 urn:sharepoint2016:portal.sso3.pe-lab.com http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Procedure 1. Add a Microsoft SharePoint WS-Fed Application in RSA SecurID Access 2. Configure Microsoft SharePoint to Use RSA SecurID Access as an Identity Provider 1 aka. default SharePoint Realm. The value of the Relying Party ID in SecurID Access will always be used as the name of the default Realm in SharePoint. 1 Copyright 2016 EMC Corporation. All Rights Reserved.
Add a Microsoft SharePoint WS-Fed Application in RSA SecurID Access 1. Log in to the RSA SecurID Access Administration Console, click the Applications tab and select Application Catalog from the Application tab dropdown list. 2. Search for Microsoft SharePoint WS-Fed in the list of applications and click the +Add button. 3. Enter a name for the application in the Name field and click the Next Step button. 4. Scroll to the SAML Identity Provider section on the Connection Profile page and copy the value from the Identity Provider URL field. Note: The URL in the example below contains a custom Issuer Entity ID, but you may use the auto-generated value if you wish. 5. Scroll to the top of the page and paste the identity provider URL in the Menu URL field. 2 Copyright 2016 EMC Corporation. All Rights Reserved.
6. You must import a private/public key pair to sign and validate SAML assertions. If you don t have one readily available, follow the steps to generate a certificate bundle. Otherwise, continue to step 7. a. Scroll to the SAML Response Signature section and click the Generate Certificate Bundle button. b. In the Common Name (CN) field, enter the hostname of the SharePoint service provider s server that will be sending authentication requests. c. Click the Generate and Download button, save the certificate bundle ZIP file to a secure location and extract its contents. The ZIP file will contain a private key, a public certificate and a certificate signing request. 7. Click the Choose File button on the left of the Generate Certificate Bundle button, locate and select a private key for signing SAML assertions and click the Open button. 8. Click the Choose File button underneath the Generate Certificate Bundle button, locate and select your public certificate and click the Open button. 9. Select the Include Certificate in Outgoing Assertion checkbox. 10. Enter your relying party URL in the Relying Party URL field. This URL is your <SharePoint Root URL>/_trust. The relying party URL in this example is https://www.sharepoint2016.com/_trust. 11. Use the following format to create a unique identifier and enter it in the Relying Party ID field: urn :<string 1>:<string 2>. You may choose any values for <string 1> and <string 2>. You will use the value as your SharePoint realm name. The relying party ID in this example is urn:sharepoint2016:portal.sso3.pe-lab.com. 3 Copyright 2016 EMC Corporation. All Rights Reserved.
12. Decide which claim type(s) you will use to identify an authenticated user. This example uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. See the following URL for information about claims-based identity. https://dev.office.com/sharepoint/docs/general-development/claims-based-identityterm-definitions. 13. Select Identity Source from the Attribute Source dropdown list in the Attribute Extension section. 14. In the Attribute Name field, enter the attribute name that corresponds to your claim. The attribute name in this example is emailaddress. 15. Select the name of your user identity source from the Identity Source dropdown list. In this example, user accounts are stored in an identity source named AD20. 16. From the Property dropdown list, select the attribute name your identity store uses to store the value that corresponds to your claim type. In this example, the identity source s mail attribute will be used to uniquely identify a user in SAML assertions. 17. Click the Next Step button. 18. On the User Access page, select the access policy the identity router will use to determine which users can access the SharePoint service provider from the portal. If you want to allow access to all users who are signed in to the portal, select the Allow All Authenticated Users radio button. Otherwise, select the Select Custom Policy radio button and select the policy you want to use from the dropdown list. 19. Click the Next Step button. 4 Copyright 2016 EMC Corporation. All Rights Reserved.
20. Select the Display in Portal checkbox on the Portal Display page. 21. Click the Save and Finish button. 22. Click the Publish Changes button at the top of the page. 5 Copyright 2016 EMC Corporation. All Rights Reserved.
Configure SharePoint to Use RSA SecurID Access as an IdP Important: The instructions below assume that you have created and configured the SharePoint web application(s) and corresponding site collection(s) that you plan to integrate with RSA SecurID Access and that you can log in to each site with an end user account. This section is divided into the following three subsections.. 1. Create a Trusted Identity Token Issuer for RSA SecurID Access 2. Permit Additional SharePoint Web Applications to Use RSA SecurID Access 3. Configure a SharePoint Web Application to Use the RSA SecurID Access Token Issuer The first section is mandatory, but you can skip the second section if you only want to authorize the default SharePoint web application to use RSA SecurID Access. Otherwise, follow the instructions in the second section to for each additional web application you want to authorize. Complete the instructions in the third section to enable RSA SecurID Access authentication, create authentication policies and configure site permissions for one or more of the SharePoint web applications you authorized. Important: When you first create a SharePoint Trusted Identity Token issuer, only the default SharePoint web application will be permitted to use it. However, you can easily make it available to additional SharePoint web applications. Create a Trusted Identity Token Issuer for RSA SecurID Access Follow the steps below to create a SharePoint Trusted Identity Token issuer for RSA SecurID Access and make it available for the default SharePoint web application and site collections to use as an authentication provider. 1. Log into your SharePoint server host and open the SharePoint Management Shell. 2. Create a root certificate object using the signing certificate you downloaded from SecurID Access and copied to your SharePoint server. Replace c:\certs\root.cer with the path and name of your signing certificate. $root_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\certs\root.cer") 3. Create a trusted root authority for your token issuer and set the root certificate. Replace portal.sso3.e-lab.com with the name you want to give to your trusted root authority. New-SPTrustedRootAuthority -Name "portal.sso3.pe-lab.com" -Certificate $root_cert 6 Copyright 2016 EMC Corporation. All Rights Reserved.
4. Enter the command below to create (a) claim type(s) mapping (s). Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL (s). See the following URL for information about claims-based identity. https://dev.office.com/sharepoint/docs/general-development/claims-based-identityterm-definitions. $email_claim = New-SPClaimTypeMapping IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email Address" SameAsIncoming 5. Enter the command below to create a variable to hold the name of your realm. You must set this value to the Relying Party ID you choose in the previous section. Replace urn:sharepoint2016:portal.sso3.pe-lab.com with the relying party ID. $realm = "urn:sharepoint2016:portal.sso3.pe-lab.com" 6. Enter the New-SPTrustedIdentityTokenIssuer command below to create a token issuer. a. Replace SECURID_ACCESS_IDR with a unique name to identify your token issuer. b. Replace portal.sso3.pe-lab.com-idrwith a description of the issuer. c. Replace https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfedsharepoint2016& with your Identity Provider URL followed by an ampersand (&). d. Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL. $issuer = New-SPTrustedIdentityTokenIssuer -Name "SECURID_ACCESS_IDR" Description "portal.sso3.pe-lab.com-idr" -realm $realm -ImportTrustCertificate $root_cert -ClaimsMappings $email_claim -SignInUrl "https://portal.sso3.pelab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016&" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Important: You must set the New-SPTrustedIdentityTokenIssuer command s SignInUrl parameter to your IdP URL with an & appended to the end of it. Our IdP URL is https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016, so we set the SignInUrl to https://portal.sso3.pe-lab.com/idpservlet?idp_id=sso3-wsfed-sharepoint2016& in the command above. For second example, if your IdP URL is https://my.portal.com/idpservlet?idp_id=myid, then you would set the SignInUrl parameter to https://my.portal.com/idpservlet?idp_id=myid&. 7. If you want to permit additional SharePoint web applications to use RSA SecurID Access, follow the instructions in the next section. Otherwise skip to the last section to enable RSA SecurID Access authentication on the default SharePoint application. 7 Copyright 2016 EMC Corporation. All Rights Reserved.
Permit Additional SharePoint Web Applications to Use RSA SecurID Access Note: Your default SharePoint web application is now authorized to use the token issuer you created. If you want to authorize (an) additional Sharepoint web application(s), follow the instructions below. Otherwise, continue to the next section. You can use a Trusted Identity Token Issuer to protect multiple SharePoint web applications by mapping each application to a unique identifier know as a realm. You set the first realm name when you create a token issuer. The issuer uses this realm to identify the default SharePoint application. In order to register an additional SharePoint web application with the issuer, you must explicitly map its base URL to a new realm name. See this link for full details https://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx#plansaml. Suppose you want to create a SharePoint web application exclusively for your Sales Department and then use the RSA SecurID SharePoint token issuer to protect it. You would first complete the steps below to create the application and authorize it to use the token issuer. You would then complete the steps in the next section to enable the issuer as an authentication provider on the new web application. The example uses the token issuer from the previous section (SECURID_ACCESS_IDR) and these additional configuration values: SharePoint Sales Department Web Application Base URL Sales Department Web Application Realm Name https://www.sharepoint2016.com:44331 urn:sharepoint2016:sales-sites 1. Create and configure a web application and site collection(s) for the Sales Department. 2. Choose a unique realm name for the application. The realm name used in this example is urn:sharepoint2016:sales-sites. Note: The realm name must be unique and formatted as follows: urn :<string 1>:<string 2> Choose any values for <string 1> and <string 2>. They are arbitrary. 3. Log in to your SharePoint server host, open the SharePoint Management Shell and enter the following command retrieve your token issuer. Replace SECURID_ACCESS_IDR with the name you gave to your token issuer. $issuer = Get-SPTrustedIdentityTokenIssuer "SECURID_ACCESS_IDR") 4. Enter the command below to save your web application URL to a variable. Replace https://www.sharepoint2016.com:44331 with your web application s base URL. $app_url = New-Object System.Uri("https://www.sharepoint2016.com:44331") 5. Enter the command below to save the realm name to a variable. Replace urn:sharepoint2016:portal.sso3.pe-lab.com with the realm name you chose. $app_realm = "urn:sharepoint2016:sales-sites" 6. Enter the following two commands to map the web application URL to the realm name. $issuer.providerrealms.add($app_url, $app_realm) $issuer.update() The application is now authorized to use the token issuer as a authentication provider. Continue to the next section to enable it on the application and set end user permissions. 8 Copyright 2016 EMC Corporation. All Rights Reserved.
Configure a SharePoint Web Application to Use the RSA SecurID Access Token Issuer 1. Open SharePoint Central Administration and click the Manage web applications link. 2. Highlight the web application you want to configure and click the Authentication Providers button. 3. Click the Default link on the Authentication Providers dialog box. 4. Confirm that the Integrated windows Integration checkbox is checked and that NTLM is selected in the dropdown list. 9 Copyright 2016 EMC Corporation. All Rights Reserved.
5. Check the Trusted Identity Provider checkbox. 6. Check the checkbox for the for the token issuer name you chose above. 7. Click the Save button. 8. Log into the SharePoint site as an administrator. 9. Click the gear icon to the right of the System Account menu and click the Site settings menu item 10. Click the Site permissions link in the Users and Permissions section of the Site Settings page. 11. Click the Grant Permissions button at the top of the page. 10 Copyright 2016 EMC Corporation. All Rights Reserved.
12. Enter your token issuer name in the list. 13. Select the appropriate group/permission level from the dropdown based on your requirements and click the Share button. 11 Copyright 2016 EMC Corporation. All Rights Reserved.