Enabling Federation in a SharePoint Application with AD FS 3.0 as the STS
Below are the listed activities that needs to be done on SharePoint server to register a new IdentityProvider. [Assuming that realm & other ADFS stuff is handled already]
List all the SPTrustedIdentityTokenIssuer
Get-SPTrustedIdentityTokenIssuer
Create a New Trusted Identity Token Issuer [New-SPTrustedIdentityTokenIssuer]
$realm = "urn:realmname:adfs"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\software\certs\DevADFSTokensigningcert.cer")
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upi" -IncomingClaimTypeDisplayName "UPI" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://www.tempuri.org/claim/lotusgroup" -IncomingClaimTypeDisplayName "LotusGroup" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://www.tempuri.org/claim/ouiunit" -IncomingClaimTypeDisplayName "OUI Unit" -SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "adfsdev" -Description "adfsdev" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map, $map2, $map3, $map4 -SignInUrl "https://contoso.org/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
The above scripts creates a new security token service [STS].
To add multiple provider realms for cases where you have different authentication.
$ap1 = Get-SPTrustedIdentityTokenIssuer -Identity "adfsdev"
$uri = new-object System.Uri("https://web2.contoso.org")
$ap1.ProviderRealms.Add($uri, "urn:realmname2:adfs2")
$ap1.Update()
Enable web application to use the newly created authentication claims provider
$setcba = Get-SPWebApplication "http://contosot:1001"
$setcba.UseClaimsAuthentication = 1;
$setcba.Update()
Go to Central Admin > Manage Web Applications > Select a web application > Click on Authentication Providers
Click on Intranet > Un-check windows authentication > Select a trusted identity provider
Now, SharePoint web application is protected with ADFS.
With this claims provider, by default People Picker control does not resolve the names. To overcome this issue, we need to install Custom Claims Provider.
Clear steps to install custom claims provider is listed here – https://ldapcp.codeplex.com/
How to install LDAPCP
Install and deploy the solution (that will automatically activate the “LDAPCP” farm-scoped feature):
Add-SPSolution -LiteralPath "PATH TO WSP FILE"
Install-SPSolution -Identity "LDAPCP.wsp" -GACDeployment
At this point claim provider is inactive and it must be associated to an SPTrustedIdentityTokenIssuer to work:
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.ClaimProviderName = "LDAPCP"
$trust.Update()
How to update LDAPCP
Run Update-SPSolution cmdlet to start a timer job that that will deploy the update. You can monitor the progression in farm solutions page in central administration.
Update-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:\Data\Dev\LDAPCP.wsp"
How to remove LDAPCP
For an unknown reason, randomly SharePoint 2013 doesn’t uninstall correctly the solution because it removes assembly from the GAC before calling the feature receiver… When this happens, the claims provider is not removed and that causes issues when you re-install it.
To uninstall safely, deactivate the farm feature before retracting the solution:
Disable-SPFeature -identity "LDAPCP"
Uninstall-SPSolution -Identity "LDAPCP.wsp"
Remove-SPSolution -Identity "LDAPCP.wsp"
You might need to remove the claim provider too.
Get the lists of ClaimProviders
Get-SPClaimProvider
This lists the list of ClaimProviders including your custom claim provider.
To remove the custom claim provider
Remove-SPClaimProvider –Identity "Custom-ClaimPicker"
Note: You might get a error stating it’s in use. You would need to run the below scripts to update web applications not to use claim provider.
$setcba = Get-SPWebApplication "http://contoso:1002"
$setcba.UseClaimsAuthentication = 0;
$setcba.Update()
Now custom claim provider is successfully removed.
SharePoint 