none
Sharepoint 2013 Claims-Based Authentication with SSO and SAML

    Question

  • We attempting to route SharePoint claims-based authentication through our internal SSO IDP which uses a proprietary Tivoli-based LDAP as its authentication authority. Currently, after logging in using the IDP-Initiated login URL, the user is being redirected back to SharePoint but apparently without credentials, as the forms-based login screen is presented. Here are the steps I have used to configure SharePoint for SAML:

    1. Registered the SharePpoint server in our SSO self-serve system. The following information was provided to the system:

      Target application URL (for redirection after successful login): https://sharepointserver.company.com/PWA/_layouts/15/Authenticate.aspx?Source=%2Fpwa

      We need additional guidance on what should be entered for Entity ID and ACS URL. We tried, during testing, to specify the ACS URL as either the original FBA login page URL or the destination page (PWA). Both yielded the same result.

    2. Copied the x.509 certification node data from the IDP's metadata XML file and saved it to a file with .CER extension


    3. Using PowerShell, loaded the certificate into an Object:

          $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\certificate.cer")


    4. Installed the certificate as a Trusted Root Authority:

          New-SPTrustedRootAuthority -Name "IBM w3ID SSO Certificate" -Certificate $cert


    5. Set up the attribute/claim mappings between SSO IDP and Sharepoint:

          $fname = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming

          $lname = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "Surname" -SameAsIncoming

          $email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

          $upn = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

          $role = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming


    6. Created SSO IDP option in SharePoint:

          New-SPTrustedIdentityTokenIssuer
           -Name "Test SSO"
           -Description "SSO IDP"
           -Realm "urn:sharepoint:Test Project Server"
          -SignInUrl "https:/SSOServer/auth/sps/samlidp/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://sharepoint server.company.com&NameIdFormat=email&Target=https://shareointserver.company.com/pwa"
           -ImportTrustCertificate $cert
           -ClaimsMappings $fname,$lname,$email,$upn,$role
           -IdentifierClaim $upn.InputClaimType

    7. Configured SharePoint to use the new SSP IDP option (via Central Administration).

    As mentioned above, upon accessing our Project Server PWA site, an unauthenticated user must select authentication type (either Windows domain or SSO). Upon selecting SSO, he is automatically re-directed to the IDP where an ID and password are entered. Upon clicking Submit, re-direction back to PWA is unsuccessful and the the original page requesting login type (domain or SSO) is displayed again.





    • Edited by JGregoryAZ Monday, April 24, 2017 11:05 PM
    Monday, April 24, 2017 11:01 PM

All replies

  • Hi JGregory,

    Thank you for your question.

    We are currently looking into this issue and will give you an update as soon as possible.

    Thank you for your understanding and support.

    Have a nice day!

    Best regards,

    Grace Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 28, 2017 12:43 PM
  • Hi JGregory,

    Whether you are using ADFS as your federation server? Please provide the screenshots about your configuration in the federation settings.

    Besides, use Fiddler to capture the SSO login process, and provide the result for further analysis.

    Best regards,

    Grace Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 01, 2017 10:40 AM
  • Thank you for the quick response.

    We have been coordinating a security exception on our end in order to capture SharePoint / SSO traffic with Fiddler. To answer your question, we have not implemented ADFS. The SharePoint server is part of a Windows 2012 AD domain. None of our users have accounts in Active Directory. Authentication / authorization is handled by our internal LDAP server, coordinated by the SSO IDP.

    I have captured traffic for the SharePoint login process. Here are the details:

    NOTE: SharePoint and SSO servers have been renamed for the sake of anonymity (MSPROJECTSERVER and SAMLIDP respectively).

    #

    Result

    Protocol

    Host

    URL

    Body

    Caching

    Content-Type

    Process

    Comments

    Custom

    1

    200

    HTTP

    Tunnel to

    MSPROJECTSERVER:443

    0

    iexplore:57736

    2

    302

    HTTPS

    MSPROJECTSERVER

    /PWA/

    201

    iexplore:57736

    3

    302

    HTTPS

    MSPROJECTSERVER

    /PWA/_layouts/15/Authenticate.aspx?Source=%2FPWA%2F

    236

    private

    text/plain; charset=utf-8

    iexplore:57736

    4

    200

    HTTPS

    MSPROJECTSERVER

    /_login/default.aspx?ReturnUrl=%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPWA%252F&Source=%2FPWA%2F

    4341

    private, no-store

    text/html; charset=utf-8

    iexplore:57736

    5

    302

    HTTPS

    MSPROJECTSERVER

    /_login/default.aspx?ReturnUrl=%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPWA%252F&Source=%2FPWA%2F

    257

    private, no-store

    text/html; charset=utf-8

    iexplore:57736

    6

    302

    HTTPS

    MSPROJECTSERVER

    /_trust/default.aspx?trust=SSOProvider&ReturnUrl=%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPWA%252F&Source=%2FPWA%2F

    544

    private, no-store

    text/html; charset=utf-8

    iexplore:57736

    7

    200

    HTTP

    Tunnel to

    SAMLIDP:443

    0

    iexplore:57736

    8

    200

    HTTPS

    SAMLIDP

    /auth/sps/samlidp/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://MSPROJECTSERVER&NameIdFormat=email&Target=https://MSPROJECTSERVER/PWA/_layouts/15/Authenticate.aspx?Source=%2Fpwa?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aEVMPMOMOPS&wctx=https%3a%2f%2fMSPROJECTSERVER%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPWA%252F

    2473

    no-cache

    text/html

    iexplore:57736

    9

    302

    HTTPS

    SAMLIDP

    /pkmslogin.form?token=Unknown

    2205

    no-cache

    text/html

    iexplore:57736

    10

    200

    HTTPS

    SAMLIDP

    /auth/sps/samlidp/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://MSPROJECTSERVER&NameIdFormat=email&Target=https://MSPROJECTSERVER/PWA/_layouts/15/Authenticate.aspx?Source=%2Fpwa?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aEVMPMOMOPS&wctx=https%3a%2f%2fMSPROJECTSERVER%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPWA%252F

    2464

    no-cache

    text/html

    iexplore:57736

    11

    200

    HTTPS

    SAMLIDP

    /mga/sps/ac/js/info.js

    5639

    no-cache="set-cookie, set-cookie2"; Expires: Thu, 01 Dec 1994 16:00:00 GMT

    text/javascript;charset=UTF-8

    iexplore:57736

    12

    200

    HTTPS

    SAMLIDP

    /mga/sps/ac/

    36

    no-cache="set-cookie, set-cookie2"; Expires: Thu, 01 Dec 1994 16:00:00 GMT

    text/plain;charset=UTF-8

    iexplore:57736

    13

    200

    HTTP

    Tunnel to

    SAMLIDP:443

    0

    iexplore:57736

    14

    200

    HTTPS

    SAMLIDP

    /static/img/loader.s8.gif

    21737

    max-age=604800, must-revalidate

    image/gif

    iexplore:57736

    15

    302

    HTTPS

    SAMLIDP

    /cloud/idp/eai/SimpleEAIServlet/SAML2/default?Target=https%3A%2F%2FSAMLIDP%3A443%2Fauth%2Fsps%2Fsamlidp%2Fsaml20%2Flogininitial%3FRequestBinding%3DHTTPPost%26PartnerId%3Dhttps%3A%2F%2FMSPROJECTSERVER%26NameIdFormat%3Demail%26Target%3Dhttps%3A%2F%2FMSPROJECTSERVER%2FPWA%2F_layouts%2F15%2FAuthenticate.aspx%3FSource%3D%2Fpwa%3Fwa%3Dwsignin1.0%26wtrealm%3Durn%3Asharepoint%3AEVMPMOMOPS%26wctx%3Dhttps%3A%2F%2FMSPROJECTSERVER%2FPWA%2F_layouts%2F15%2FAuthenticate.aspx%3FSource%3D%252FPWA%252F

    0

    iexplore:57736

    16

    302

    HTTPS

    SAMLIDP

    /mga/sps/authsvc?TransactionId=a1cde5ae-8a3e-43a0-add4-f7fafbab266a

    2358

    no-cache

    text/html

    iexplore:57736

    17

    302

    HTTPS

    SAMLIDP

    /cloud/idp/eai/SimpleEAIServlet/SAML2/default?Target=https%3A%2F%2FSAMLIDP%3A443%2Fauth%2Fsps%2Fsamlidp%2Fsaml20%2Flogininitial%3FRequestBinding%3DHTTPPost%26PartnerId%3Dhttps%3A%2F%2FMSPROJECTSERVER%26NameIdFormat%3Demail%26Target%3Dhttps%3A%2F%2FMSPROJECTSERVER%2FPWA%2F_layouts%2F15%2FAuthenticate.aspx%3FSource%3D%2Fpwa%3Fwa%3Dwsignin1.0%26wtrealm%3Durn%3Asharepoint%3AEVMPMOMOPS%26wctx%3Dhttps%3A%2F%2FMSPROJECTSERVER%2FPWA%2F_layouts%2F15%2FAuthenticate.aspx%3FSource%3D%252FPWA%252F

    146

    text/html;charset=ISO-8859-1

    iexplore:57736

    18

    200

    HTTPS

    SAMLIDP

    /auth/sps/samlidp/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://MSPROJECTSERVER&NameIdFormat=email&Target=https://MSPROJECTSERVER/PWA/_layouts/15/Authenticate.aspx?Source=/pwa?wa=wsignin1.0&wtrealm=urn:sharepoint:EVMPMOMOPS&wctx=https://MSPROJECTSERVER/PWA/_layouts/15/Authenticate.aspx?Source=/PWA/

    10152

    no-cache, no-store; Expires: Thu, 01 Dec 1994 16:00:00 GMT

    text/html;charset=UTF-8

    iexplore:57736

    21

    302

    HTTPS

    MSPROJECTSERVER

    /PWA/_layouts/15/Authenticate.aspx?Source=%2Fpwa

    228

    private

    text/plain; charset=utf-8

    iexplore:57736

    22

    200

    HTTPS

    MSPROJECTSERVER

    /_login/default.aspx?ReturnUrl=%2fPWA%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252Fpwa&Source=%2Fpwa

    4340

    private, no-store

    text/html; charset=utf-8

    iexplore:57736

    Rather than post raw data for each transaction, please let me know which of theses items (by number) you need to see details for, and I will respond accordingly. Also please specify what format you would prefer (e.g. TextView, WebView, Raw, JSON, XML, etc.).

    Thank you!


    • Edited by JGregoryAZ Thursday, May 04, 2017 3:16 PM
    Thursday, May 04, 2017 3:14 PM
  • So is it Microsoft's official position that Sharepoint does not support third-party IDPs using SAML out of the box? All documentation I have been able to find to date would indicate that ADFS must be used as the intermediary. Surely, it must be possible to develop a custom proxy that would allow direct communication between Sharepoint and a 3rd-party IDP. 
    Monday, May 15, 2017 6:20 PM