Home / Installation and Configuration Guide / Configuring EmpowerID / Connecting to Directory Systems / SharePoint / Current: Federating SharePoint with EmpowerID |
In an environment with Microsoft SharePoint, you can configure EmpowerID as a claims-based authentication provider for your SharePoint farm. Using EmpowerID in this way allows you to extend EmpowerID's RBAC model to your corporate SharePoint environment, giving you greater flexibility and control over how you assign user's access. Before configuring EmpowerID as a SharePoint claims provider, the following prerequisites must be met:
|
Once you have met the above prerequisites, you can configure the federated trust between EmpowerID and your SharePoint farm.
Projection with Strict Enforcement - EmpowerID overrides any changes made in the native SharePoint environment. All changes made must occur within EmpowerID to be accepted. Strict Enforcement only applies to SharePoint Groups.
EmpowerID inventories SharePoint groups and enforcement adds one EmpowerID claim as a member of each group. The claim has the same name as the group with a GUID as the unique identifier. Getting access to the member Resource Role in EmpowerID means that this SharePoint group membership is added as a claim to the login token. SharePoint sees from the token that the member has a claim which is a member of this group. |
Next, we need to add the SharePoint configuration settings to each SharePoint Resource System EmpowerID created for each connected SharePoint server.
When you have completed the above, you have four Name/Value pairs that look similar to the below image. The Names must be identical to those depicted, while the Values may differ accordingly.
Next, we need to add the SharePoint certificates to the EmpowerID Certificate store. We demonstrate this in the section below.
Next, we need to map the SharePoint client certificate to an EmpowerID Person. Because the SharePoint Web services are claims-based, EmpowerID uses this Person to access those services. Create a new Person account strictly for this purpose.
Next, we need to create a WS Federation Connection for SharePoint in EmpowerID. We demonstrate this in the section below.
Next, we need to configure a federated trust between the EmpowerID Security Token Service (STS) and your SharePoint.
Log in to Workflow Studio as an administrative user and from Solution Explorer, click the SharePoint tab to view the SharePoint resource system you just added to EmpowerID.
The following steps need to be performed once for each SharePoint farm in your environment. |
Click the node for your SharePoint system and wait for Workflow Studio to load your SharePoint sites.
You should now see your sites in the SharePoint tree under your SharePoint resource system.
If your SharePoint sites do not appear in the SharePoint tree, ensure that the SharePoint Management Web Service is enabled on at least one EmpowerID Web Role server and that the SharePoint Agent Server is set on the SharePoint Account Store Details screen. |
Now that the federated trust has been configured, you can convert your SharePoint sites from Windows Auth to Claims-based. We demonstrate this below.
The following steps need to be performed for each SharePoint web application that you wish to use Claims-based Authentication |
Scroll down to the bottom of the Edit Authentication page and click Save.
The following steps need to be performed for each SharePoint site collection that resides within a SharePoint web application that uses Claims-based Authentication. |
Click OK to close the Select People dialog and then click OK to close the Site Collection Administrators page.
The following steps need to be performed for each SharePoint server that services the web application being federated |
From the SharePoint tree of Workflow Studio, right-click the SharePoint site again and select Configure Web.Config for Security Token Service Federation Trust from the context menu.
Make a backup of the Web config file before proceeding with the steps below. |
In the EmpowerID STS SharePoint Web.Config Configuration dialog that appears, do the following:
The EmpowerID STS SharePoint Web.Config Configuration dialog looks similar to the following image:
Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you need to turn on inventory and enable SharePoint Group Enforcement claims in EmpowerID. We demonstrate this below.
Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you can (optionally) grant permissions to your EmpowerID users for SharePoint access. We demonstrate this below by granting all EmpowerID Business Roles membership to the Viewers SharePoint group.
If you have customized SharePoint master pages for any Web application, you must add the Any Role in Anywhere Business Role and Location to the User Policy for that Web application; otherwise, SharePoint will deny your EmpowerID users access to your SharePoint sites.
|
|