identity provider
This phase has the following procedures:
1. Associate an existing web application with the AD FS identity provider 2. Create a new web application with the AD FS identity provider
Associate an existing web application with the AD FS identity provider
To configure an existing web application to use SAML sign-in, the trusted identity provider in the claims
To configure an existing web application to use the AD FS identity provider 1. Verify that the user account that is performing this procedure is a member of the Farm
Administrators SharePoint group.
2. In Central Administration, on the home page, click Application Management.
3. On the Application Management page, in the Web Applications section, click Manage web applications.
4. Click the appropriate web application.
5. From the ribbon, click Authentication Providers.
6. Under Zone, click the name of the zone. For example, Default.
7. On the Edit Authentication page in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your SAML provider (<ProviderName> from the New-SPTrustedIdentityTokenIssuer command). Click OK.
8. Next, you must enable SSL for this web application. You can do this by adding an
alternate access mapping for the “ https:// ” version of the web application ’ s URL and then configuring the web site in the Internet Information Services (IIS) Manager console for an https binding. For more information about how to set up SSL for IIS, see How to Setup SSL on IIS 7.0.
Create a new web application with the AD FS identity provider
When creating a new web application to use SAML sign-in, you must configure claims authentication for the AD FS trusted identity provider. See Create claims-based web applications in SharePoint 2013 and do the following:
In the Security Configuration section of the New Web Application dialog box, for Use Secure Sockets Layer (SSL), select Yes.
For information about how to set up SSL for IIS, see How to Setup SSL on IIS 7.0.
In the Claims Authentication Types section of the New Web Application dialog box, select Trusted Identity provider, and then click the name of your SAML provider (<ProviderName> from the New-SPTrustedIdentityTokenIssuer command).
Configure server-to-server authentication in SharePoint 2013
Updated: October 16, 2012
Summary: Find resources to help you configure server-to-server authentication for SharePoint 2013.
Applies to: SharePoint Foundation 2013 | SharePoint Server 2013
The following articles on TechNet and related resources provide information about how to configure server-to-server authentication.
TechNet articles about how to configure server-to- server authentication
The following articles about how to configure server-to-server authentication in SharePoint 2013 are available to view online. Writers update articles on a continuing basis as new information becomes available and as users provide feedback.
Content Description
Configure server-to-server authentication between SharePoint 2013 farms
Describes the steps to configure server-to-server authentication between two SharePoint 2013 farms.
Configure server-to-server authentication between
SharePoint 2013 and Exchange Server 2013
Describes the steps to configure server-to-server authentication between SharePoint 2013 and Exchange Server 2013.
Configure server-to-server authentication between SharePoint 2013 and Lync Server 2013
Describes the steps to configure server-to-server authentication between SharePoint 2013 and Lync Server 2013.
Configure server-to-server authentication between SharePoint 2013 farms
Published: September 4, 2012
Summary: Learn how to configure server-to-server authentication between SharePoint 2013 farms.
Applies to: SharePoint Server 2013 Standard | SharePoint Server 2013 Enterprise | SharePoint Foundation 2013
The configuration details in this article describe how to configure server-to-server authentication
between SharePoint 2013 farms. For background information about server-to-server authentication, see Plan for server-to-server authentication in SharePoint 2013 Preview.
Important:
Web applications that include server-to-server authentication endpoints for incoming server-to- server requests, or that make outgoing server-to-server requests must be configured to use Secure Sockets Layer (SSL). For information about how to create a web application to use SSL, see Create claims-based web applications in SharePoint 2013.
Note:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide.
SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:
Plan browser support
Accessibility for SharePoint Products
Accessibility features in SharePoint 2013
Keyboard shortcuts
Touch
Configure a SharePoint 2013 trust relationship with another farm
To service incoming server-to-server requests from another SharePoint 2013 farm, you must configure the SharePoint 2013 farm to trust the sending farm. Use the Windows PowerShell New-
SPTrustedSecurityTokenIssuer cmdlet in SharePoint 2013 to configure the trust relationship by specifying the JavaScript Object Notation (JSON) metadata endpoint of the sending farm.
To configure a SharePoint 2013 trust relationship with another farm
1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.
Securityadmin fixed server role on the SQL Server instance.
db_owner fixed database role on all databases that are to be updated.
An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.
Note:
If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
2. In the SharePoint 2013 environment on the farm that is receiving server-to-server requests, start the SharePoint 2013 Management Shell.
For Windows Server 2008 R2:
In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.
For Windows Server 2012:
In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.
If SharePoint 2013 Management Shell is not on the Start screen:
Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.
For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.
3. At the Windows PowerShell command prompt, type the following command:
New-SPTrustedSecurityTokenIssuer –MetadataEndpoint
"https://<HostName>/_layouts/15/metadata/json/1" –IsTrustBroker –Name "<FriendlyName>"
Where:
<HostName> is the name and port of any SSL-enabled web application of the farm that will be sending server-to-server requests.
<FriendlyName> is a friendly name for the sending SharePoint 2013 farm.
4. Repeat step 3 for all SharePoint 2013 farms that will be sending server-to-server requests.
Note:
For more information, see New-SPTrustedSecurityTokenIssuer.
The recommended best practice for server-to-server authentication is that each server-to-server application that establishes trust with a SharePoint farm must use a different certificate. In a cross-farm SharePoint topology, if you are required to use the same certificate across the farms, you must also set the name identifier of the SharePoint Security Token Service (STS) to be the same across those farms.
The following procedure describes how to synchronize the STS name identifier across two SharePoint farms.
To synchronize the STS name identifier across SharePoint farms
1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.
Securityadmin fixed server role on the SQL Server instance.
db_owner fixed database role on all databases that are to be updated.
An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.
Note:
If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
2. In the SharePoint 2013 environment on one of the farms, start the SharePoint 2013 Management Shell.
For Windows Server 2008 R2:
In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.
For Windows Server 2012:
In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.
If SharePoint 2013 Management Shell is not on the Start screen:
Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.
For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.
3. At the Windows PowerShell command prompt, type the following command:
Get-SPSecurityTokenServiceConfig
4. In the display of the Get-SPSecurityTokenServiceConfig command, note the value of the NameIdentifier field, which starts with “00000003-0000-0ff1-ce00-000000000000@”. This is the name identifier of the SharePoint STS.
5. To set the name identifier of the SharePoint STS in the other SharePoint farm, use the following Windows PowerShell commands on a server in that farm:
$config = Get-SPSecurityTokenServiceConfig
$config.NameIdentifier=<CommonNameIdentifier>
$config.Update();
Where <CommonNameIdentifier> is the value of the NameIdentifier field from step 4.
Configure server-to-server authentication
between SharePoint 2013 and Exchange Server 2013
Updated: October 16, 2012
Summary: Learn how to configure server-to-server authentication between SharePoint 2013 and Exchange Server 2013.
Applies to: SharePoint Server 2013 Enterprise | SharePoint Server 2013 Standard | SharePoint Foundation 2013
Server-to-server authentication enables you to share resources that live on various servers in a
SharePoint farm and access services, such as Exchange Server 2013 and Lync Server 2013, which are distributed among servers. Server-to-server authentication in SharePoint 2013 also supports resource sharing and access with additional services that are compliant with the server-to-server authentication protocol.
The configuration details in this article are about how to configure server-to-server authentication between SharePoint 2013 and Exchange Server 2013.
Important:
Web applications that include server-to-server authentication endpoints for incoming server-to- server requests, or that make outgoing server-to-server requests must be configured to use Secure Sockets Layer (SSL). For information about how to create a web application to use SSL, see Create claims-based web applications in SharePoint 2013.
Note:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide.
SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:
Plan browser support
Accessibility for SharePoint Products
Accessibility features in SharePoint 2013
Keyboard shortcuts
Touch
Process overview
This configuration has the following steps:
Configure the SharePoint 2013 server to trust the Exchange Server 2013 server
Configure permissions on the SharePoint 2013 server
Configure the Exchange Server 2013 server to trust the SharePoint 2013 server Important:
Complete the procedures in the order in which they are presented in this article.
To configure the SharePoint 2013 server to trust the Exchange Server 2013 server
1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.
securityadmin fixed server role on the SQL Server instance.
db_owner fixed database role on all databases that are to be updated.
An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.
Note:
If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
2. Start the SharePoint 2013 Management Shell.
For Windows Server 2008 R2:
In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.
For Windows Server 2012:
In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.
If SharePoint 2013 Management Shell is not on the Start screen:
Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.
For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.
3. At the Windows PowerShell command prompt, type the following commands:
New-SPTrustedSecurityTokenIssuer –MetadataEndpoint "https://<HostName>/metadata/json/1"
–IsTrustBroker –Name "<FriendlyName>"
Where:
<HostName> is the name or address of the Exchange Server 2013 server.
<FriendlyName> is a friendly name for the Exchange Server 2013 server.
To configure permissions on the SharePoint 2013 server
At the Windows PowerShell command prompt, type the following commands:
$exchange=Get-SPTrustedSecurityTokenIssuer
$app=Get-SPAppPrincipal -Site http://<HostName> -NameIdentifier $exchange.NameId
$site=Get-SPSite http://<HostName>
Set-SPAppPrincipalPermission –AppPrincipal $app –Site $site.RootWeb –Scope sitesubscription –Right fullcontrol -EnableApplyOnlyPolicy
Where:
<HostName> is the name or address of the SharePoint 2013 server.
Note:
For more information, see Get-SPTrustedSecurityTokenIssuer, Get-SPAppPrincipal, and Set-SPAppPrincipalPermission.
To configure the Exchange Server 2013 server to trust the SharePoint 2013 server
1. Start the Exchange Management Shell.
For Windows Server 2008 R2:
In the Exchange Server 2013 environment, on the Start menu, click All Programs, click Microsoft Exchange Server 2013, and then click Exchange Management Shell.
For Windows Server 2012:
In the Exchange Server 2013 environment, on the Start screen, click Exchange Management Shell.
If Exchange Management Shell is not on the Start screen:
Right-click Computer, click All apps, and then click Exchange Management Shell.
For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.
2. At the Windows PowerShell command prompt, type the following commands:
cd c:\'Program Files'\Microsoft\'Exchange Server'\V15\Scripts .\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl
https://<HostName>/_layouts/15/metadata/json/1 -ApplicationType SharePoint
Where:
<HostName> is the name and port of any SSL-enabled web application of the SharePoint farm.
Configure server-to-server authentication in SharePoint 2013
Configure server-to-server authentication
between SharePoint 2013 and Lync Server 2013
Published: October 2, 2012
Summary: Learn how to configure server-to-server authentication between SharePoint 2013 and Lync Server 2013.
Applies to: SharePoint Server 2013 Enterprise | SharePoint Server 2013 Standard | SharePoint Foundation 2013
Server-to-server authentication enables you to share resources that live on various servers in a
SharePoint farm and access services, such as Lync Server 2013 and Exchange Server 2013, which are distributed among servers. Server-to-server authentication in SharePoint 2013 also supports resource sharing and access to additional services that are compliant with the server-to-server authentication protocol. For more information about the SharePoint server-to-server authentication protocol, see OAuth 2.0 Authentication Protocol: SharePoint Profile (http://msdn.microsoft.com/en-
us/library/hh631177(office.12).aspx).
The configuration details in this article explain how to configure server-to-server authentication between SharePoint 2013 and Lync Server 2013.
Important:
Web applications that include server-to-server authentication endpoints for incoming server-to- server requests, or that make outgoing server-to-server requests must be configured to use Secure Sockets Layer (SSL). For information about how to create a web application to use SSL, see Create claims-based web applications in SharePoint 2013.
Note:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide.
SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:
Plan browser support
Accessibility for SharePoint Products
Accessibility features in SharePoint 2013
Keyboard shortcuts
Touch
Process overview
This configuration has the following steps:
Configure the server that runs SharePoint 2013 to trust the server that runs Lync Server 2013
Configure the server that runs Lync Server 2013 to trust the server that runs SharePoint 2013
To configure the SharePoint 2013 server to trust the Lync Server 2013 server 1. Verify that you are a member of the Administrators group on the server on which you are
running Windows PowerShell cmdlets.
securityadmin fixed server role on the SQL Server instance.
db_owner fixed database role on all databases that are to be updated.
An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.
Note:
If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
2. Start the SharePoint 2013 Management Shell.
For Windows Server 2008 R2:
In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.
For Windows Server 2012:
In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.
If SharePoint 2013 Management Shell is not on the Start screen, right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.
For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.
3. At the Windows PowerShell command prompt, type the following commands:
New-SPTrustedSecurityTokenIssuer –MetadataEndpoint "https://<HostName>/metadata/json/1"
–IsTrustBroker –Name "<FriendlyName>"
Where:
<HostName> is name or address of the server that runs Lync Server 2013.
<FriendlyName> is a friendly name for the server that runs Lync Server 2013.
To configure the Lync Server 2013 server to trust the SharePoint 2013 server 1. If you have not already done this, assign a server-to-server authentication certificate to
Lync Server 2013. Follow the instructions in Assigning a Server-to-Server Authentication Certificate to Microsoft Lync Server 2013.
2. Configure the server that runs Lync Server 2013 for a new SharePoint partner application that corresponds to the SharePoint farm. For the instructions in Configuring an On-Premises Partner Application for Microsoft Lync Server 2013, change the metadata URL string in the embedded script from:
http://atl-sharepoint-001.litwareinc.com/jsonmetadata.ashx to:
https://<NameAndPort>/_layouts/15/metadata/json/1 Where:
<NameAndPort> is the host name or address and port of any SSL-enabled web application of the SharePoint farm.
Configure app authentication in SharePoint Server 2013
Published: September 4, 2012
Summary: Learn how to configure app authentication in SharePoint Server 2013.
Applies to: SharePoint Server 2013 Enterprise | SharePoint Server 2013 Standard When you use an app for SharePoint, an external component of the app might want to access
SharePoint resources. For example, a web server that is located on the intranet or the Internet might try to access a SharePoint resource. When this occurs, SharePoint has to confirm the following:
The authentication of the identity of the app and the user on whose behalf the app is acting.
The authorization of the access for both the app and the user whose behalf the app is acting.
App authentication is the combination of these two confirmations.
This topic describes how to configure a SharePoint Server 2013 farm for app authentication by
configuring a trust, by registering the app with the Application Management service, and by configuring app permissions.
Important:
SharePoint web applications that include app authentication endpoints for incoming requests must be configured to use Secure Sockets Layer (SSL). For information about how to configure SSL for a new web application, see Create claims-based web applications in SharePoint 2013.
Note:
This topic does not apply to SharePoint Foundation 2013.
Process overview
This configuration has the following steps that must be performed in consecutive order:
1. Configure the SharePoint Server 2013 app authentication trust.
2. Register the app with the Application Management service.
3. Configure app permissions.
For information about apps for SharePoint, see Overview of apps for SharePoint 2013.
Note:
Because SharePoint Server 2013 runs as websites in Internet Information Services (IIS),
SharePoint Server 2013 supports the accessibility features of supported browsers. For more information, see the following resources:
Plan browser support
Accessibility for SharePoint Products
Accessibility features in SharePoint 2013 Products
Keyboard shortcuts
Touch