Creating an ADFS2.0 TrustedIdentityTokenIssuer using PowerShell in SharePoint 2013


Sathish Nadarajan
SharePoint MVP
Published On :   01 Oct 2013
Visit Count
Today :  1    Total :   17945



In this article, let us see, how to create an ADFS 2.0 Trusted Identity Token Issuer (SPTrustedIdentityTokenIssuer) using PowerShell in SharePoint 2013.

In many scenarios, we require some claims based authentication for our web application. These claims based authentication can be done by using some third party tools like ADFS 2.0. Already we had enough discussions about the installation, configuration of ADFS. Hence, in this article, as a series of powershell scripts, let us focus only on the powershell portion alone.

The steps are as follows.

a. Add the Certificate to the Trusted Root Authorities.

b. Create the Claims mappings.

c. Create a variable for the realms.

d. Create a Signin URL

e. Create the New-SPTrustedIdentityTokenIssuer

And the script is as follows.

cls

Add-PSSnapin "Microsoft.SharePoint.PowerShell"

# Add the Certificate to the Trusted Root Authorities

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\ADFSCert.cer")

New-SPTrustedRootAuthority -Name "Token Signing Cert ADFSAuthenticatedSite" -Certificate $cert

# Create the Claims Mappings

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming

$RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming

# Create a Realm variable

$realm="urn:sharepoint:sathishserver.ss.loc:20003"

#Create a Signin URL

$signInURL="https://Win2008R2/adfs/ls"

# Create the TrustedIdentityTokenIssuer

$ap1 = New-SPTrustedIdentityTokenIssuer -Name “XYZ” -Description “Test”-realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType

· The “Name” attribute describes which authentication provider a Web application is configured for.

· The “Realm” attribute defines the realm to be used by the trusted identity token issuer.

The “ImportTrustCertificate” attribute is what is passed to the token signing certificate copied from the AD FS server in this scenario.

· The “ClaimsMappings” attribute are the claims the trusted identity token issuer will use.

The “SignInUrl” is the URL that users should be redirected to authenticate with the IP-STS. In this scenario, users authenticate with the AD FS server by using Windows integrated security, so they are redirected to the /AD FS/ls subdirectory.

· The “IdentifierClaim” attribute instructs SharePoint Server which of the claims will be the claim used to identify users. In this scenario the e-mail address is used to identify a user.

 

This seems to be very simple.  But sometime, it will kill our time like anything.  Hence, I request to follow the procedures step by step and if we make any mistake, it is very hard to revert as well as fix the issue. 

 

Happy coding.

Categories