Adventures in Single-Sign-On: SharePoint Login Via Office 365
If you are still working with on-premise SharePoint 2010/2013 or you application only supports SAML 1.1 but you’d like to leverage your new and shiny Office 365 accounts for single-sign-on, you can achieve this relatively painlessly by using Windows Azure ACS as a federation provider (FP). It’s possible to use Office 365 (Azure AD) directly as your identity provider (IdP), but for SharePoint 2010, this involves writing custom code since SharePoint 2010 can’t consume SAML 2.0 tokens without custom code (only SAML 1.1 via configuration).
The overall flow for the scenario is diagrammed below:
In this scenario, the trust relationship from SharePoint is only to the FP (Azure ACS) which acts as a proxy for the trust to the IdP (Azure AD). Azure AD contains the actual credentials, but we proxy those credentials through ACS to take advantage of the SAML 2.0 -> SAML 1.1 translation without writing code (otherwise, it would be possible to directly establish trust to Azure AD or through AD FS). When the user accesses a protected resource in SharePoint, the user is redirected first to the FP which then redirects to the IdP and proxies that response via a series of redirects to the relying party (RP), SharePoint.
The first step is to create an Azure ACS namespace. You’ll need your ACS namespace URL, which should look like: https://{NAMESPACE}.accesscontrol.windows.net
Next, in Azure AD, create a new application which will allow your ACS to use Azure AD as an IdP. On the APPLICATIONS tab, click ADD at the bottom to add a new application. Enter a descriptive name for the application (note: you may want a more “friendly” name — see last picture):
Then enter the following for the SIGN-ON URL and APP ID URI:
Before leaving the Azure Portal, click on the VIEW ENDPOINTS button at the bottom of the dashboard and copy the URL for the FEDERATION METADATA DOCUMENT:
Now hop back over to Azure ACS management and add a new identity provider. Select WS-Federation identity provider and on the next screen enter a descriptive name and paste the URL into the field:
Once you’ve set up the IdP, the next step is to set up the relying party (RP). The key is to get the following settings correct:
In this example, I’m just using my local development environment as an example, but you must specify the _trust URL and explicitly select SAML 1.1 from the Token format dropdown. Additionally, uncheck Windows Live ID under Identity providers so that only the one configured previously remains checked.
Finally, on this screen, you will need to specify a certificate to use for signing. Under Token singing, select Use a dedicated certificate and then either use an existing valid X.509 certificate or create one for testing purposes.
Create the certificate using the following command:
1 |
MakeCert.exe -r -pe -n "CN={ACS_NAMESPACE}.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 06/01/2017 |
You will need to export the certificate from the certificate store with the private key. So WIN+R and type in mmc.exe. From the MMC, click File and then Add or Remove Snap-ins. Select the Certificates snap-in and click OK. Locate the certificate and export it with the private key. While you’re here, export it again without the private key; you will need this certificate when setting up the authentication provider in SharePoint.
Back in the ACS management app, upload the first certificate that was exported and enter the password. An important note is that ACS will always append a “/” after your realm; we will need to make sure what when we register the authentication provider, we include this in the login URL.
Before leaving the ACS management app for good, we need to update the rule group to pass through the claims. On the left hand side, click on Rule groups and select the default rule group created for our RP. Now click Generate to create the default rule set.
One thing I discovered through trial and error (mostly error) is that Azure AD does not seem to be providing a value for the emailaddress claim which we will be using later (you don’t technically have to use this as the identifying claim, but I did in SharePoint before discovering that this causes an error). So we’ll remap the “name” claim to “emailaddress”. Click on the name claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) and select the emailaddress claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) as the output claim type.
Now back in the SharePoint environment, we’ll now use the certificate exported without the private key to create a new trusted root authority for SharePoint and create and register the identity provider. Fire up a management shell and enter the following commands:
1 2 3 4 5 6 |
$certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\cert-no-private-key.cer") new-sptrustedrootauthority -name "ACS Token Signing Certificate" -Certificate $certificate $cm0 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $loginUrl = "https://{ACSNAMESPACE}.accesscontrol.windows.net/v2/wsfederation?wa=wsignin1.0&wtrealm=https://sso.dev.local/&redirect=false" $realm = "https://sso.dev.local/" $issuer = New-SPTrustedIdentityTokenIssuer -Name "ACS" -Description "ACS" -Realm $realm -ImportTrustCertificate $certificate -ClaimsMappings $cm0 -SignInUrl $loginUrl -IdentifierClaim $cm0.InputClaimType |
And finally, from SharePoint Central Admin, we can now add the “ACS” authentication provider:
The name that we gave earlier to the application in Azure AD can now also be configured to display in the app drawer of Office 365: