Wednesday, January 5, 2011

Claims Based Authentication using ADFS 2.0

SharePoint 2010 has made available a very useful type of authentication called Claims based Authentication. You can have a custom identity provider and make your web application use that identity provider in the places of default Windows Authentication. You can also make it use multiple authentication providers. Following are the steps to be followed for configuring a SharePoint 2010 web application to use Claims Based Authentication.
I will use ADFS 2.0 to authenticate users in my domain instead of Windows Authentication. 

Install and Configure ADFS 2.0

  1. Install ADFS 2.0 on the server which can authenticate the users.
  2. Run the ADFS configuration wizard.
  3. Select create new federation server if you are using this for testing or else select the appropriate option.
  4. If you plan to use more than one ADFS select New Federation Server Farm else select Stand Alone Server. Click Next
  5. The wizard automatically picks up a certificate. If it show any error. Go to IIS manager and create a certificate with Fully Qualified Domain Name (FQDN) and run the wizard again.
  6. Give the credentials for the service account and click next.

Create relying party trust.

  1. Open the ADFS 2.0 management console and expand on Trust Relations
  2. Select Relying Party Trust
  3. Click on Add Relying Party trust.
  4. Select enter data about relying party manually.
6. Select ADFS 2.0 profile and click next.
7. Selecting a certificate for encryption is optional. Click next.
8. Select Enable support for WS-Federation Passive Protocol. Give the url of your web application with /_trust/ at the end
Example (https://servername:port/_trust/)
Note: Do not forget to give the slash “/” at the end after trust (/_trust/)
              9. Click next

  1. Do not add any identifiers. Click next.
  2. Select permit all users to access this relying party. Click next.
  3. Verify the configuration and click next at the following screen.
  4. Leave the check box “Open the edit claim rules dialog…” and click on Close.
  5. Then click on Add rules.
     15. Select the claim rule template as “Send LDAP attributes as claims” 
     16. Give a name for the claim rule. Select Active Directory as attribute store. 
    Click on the dropdown and select SAM Account Name in the LDAP attribute 
    Select E-Mail address as the outgoing claim type. 
    In the next row select Token Groups – Unqualified Names as LDAP attribute 
    Select Role as the outgoing claim type.

    Export Certificate

    1. Open ADFS 2.0 management console.
    2. Expand Service and select Certificates.
    3. Right click on Token Signing Certificate and select view certificate.
    4. In the Certificate windows select Details tab and click on copy to file.

    1. In the Certificate Export wizard click next.
    2. Select DER encoded binary X.509 and click next.
    3. Give a location where you want to save the exported certificate.
    4. Click on finish.
    5. Copy this certificate to the server where the SharePoint server is installed.
    6. Central Admin-> Security -> Manage Trust and click New
    7. Upload the token signing certificate which you copied from the ADFS server.

      Configure a Claims-based Web application

      The configuration of a claims-based SharePoint web application can be achieved using Windows PowerShell. The steps to be followed are as follows

      1. From the Windows Power Shell command prompt (PS C:\>), create an x509Certificate2 object using the following code:
      $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
      1. Create a claim type mapping to use in your trusted authentication provider using the following code
      New-SPClaimTypeMapping ""-IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
      1. Create a trusted login provider by first creating a value for the realm parameter using the following code
      $realm = "https://serevrname:port/_trust/"
      1. Create a value for the signinurl parameter that points to the Security Token Service Web application using the following code
      $signinurl = "https://sysname/adfs/ls/”
      1. Create the trusted login provider, using the same IdentifierClaim value as in a claim mapping ($map1.InputClaimType) using the following code.
      $ap = New-SPTrustedIdentityTokenIssuer –Name "ClaimsProvider" -Description "My Custom Identity Provider" –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1[,$map2..] –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
      This completes the process of configuring SharePoint application with Claims based authentication

      Change the authentication for the SharePoint application

      1. Go to Central Administration and go to Manage Web Applications page in Application management.

      2. Select the Web application for which you want to enable Claims based authentication. This should be running in the port number you specified while configuring the identity provider and the relying party.
      3. Click on the Authentication Providers and click on the Claims Based Authentication.
        4. In the dialog box, scroll the authentication providers and select Trusted Identity Providers. 
        5. That will enable the ClaimsProvider which we have created in the earlier step.
        1. Select the provider and click Ok.
        2. Create a site collection in the web application.
        3. To add the site collection administrator, click on the People picker and type the complete the email address of the user.
        4. Now you should be able select the authentication provider from Windows Authentication and ClaimsProvider when you browse the site.
        5. You can remove Windows authentication from the Authentication Providers if you don’t need it. 

That completes the process of enabling Claims Authentication for SharePoint sites.


  1. brilliant post naveed :)

  2. Hi, when using claims like this, is there anyway to have user profiles created and the email claim value properly used in that profile so that email notifications will properly work in SharePoint?

  3. This comment has been removed by the author.

  4. Hello Naveed,

    One question if I may. I have configured ADFS Relying party as you have outlined in your blog as well the shell commands. All seems to be working when visiting the SharePoint site, I am redirected to ADFS for authentication then passed back to SharePoint, however I am getting an "Error Access Denied" message. I am the "owner" of the site so I already have permission, the issue seems to be with the email address. The message also indicates "You are currently signed in as:

    So.. we know that the Email Address claim is being passed to SharePoint however SharePoint does not seem to be consuming the email address as an accepted username. Am I missing something? Or do we need to pass the Attribute UPN to SharePoint as a Claim.

    Thank you in advance for your time.