You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Federating SharePoint with EmpowerID
- Phillip Hanegan
In an environment with Microsoft SharePoint, you can configure EmpowerID as a claims-based authentication provider for your SharePoint farm. Using EmpowerID in this way allows you to extend EmpowerID's RBAC model to your corporate SharePoint environment, giving you greater flexibility and control over how you assign user's access. Before configuring EmpowerID as a SharePoint claims provider, the following prerequisites must be met:
Prerequisites
- A network reachable EmpowerID Web Role server (over port 443) must be configured for SSL and SAML SSO Claims.
- The EmpowerID SharePoint 2013 Web Services package (for SharePoint 2013) or EmpowerID SharePoint 2016 Web Services package (for SharePoint 2016) must be installed on all SharePoint servers in the farm. Doing so makes the following changes to the SharePoint servers:
- It adds a new TheDotNetFactory key to the registry with EmpowerID and Federation subkeys.
- It creates a new Web application, named either EmpowerIDWebService45 for SharePoint 2013) or EmpowerIDWebService4516 (for SharePoint 2016), and an application pool, named either EmpowerIDSharePoint2013 or EmpowerIDSharePoint2016, for that application in IIS.
- It adds the EmpowerID.BPM.SharePoint.EventReceiver2013 (for SharePoint 2013) or EmpowerID.BPM.SharePoint.EventReceiver2016 (for SharePoint 2016) assembly to the GAC.
The public key of the SharePoint SSL certificate and the private key of the client certificate must be exported to the EmpowerID Web Role server.
The SharePoint server needs to have two certificates, one that can be used for SSL between the server and EmpowerID (known as the SSL certificate), as well as one for EmpowerID to authenticate itself to the SharePoint Web services (known as the client certificate). The SSL certificate is used by EmpowerID to create the endpoint identity for the SharePoint Web services, while the client certificate is used to perform certificate-based authentication for obtaining a security token.
- The public key and root of the EmpowerID federation (STS) certificate must be exported to each SharePoint server in the farm. This allows SharePoint to authenticate itself to EmpowerID.
- The EmpowerID > Federation key of each SharePoint server in the farm must have its values configured for EmpowerID. These Federation key values include the following:
- SPVersion - Specifies the version of SharePoint.
EmpowerIDServerFQDN - Specifies the fully qualified name of the EmpowerID Web Role server.
The URL specified here must have the following entries in theCertificateAppliesTotable of the EmpowerID Identity Warehouse:
https://<empoweridserverFQDN>/EmpowerIDWebServices/SharePointEventNotificationService.svc
https://<empoweridserverFQDN>/EmpowerIDWebServices/EmpowerIDSTS.svc
https://<empoweridserverFQDN>/EmpowerIDWebServices/EmpowerIDCertSTS.svc
https://<empoweridserverFQDN>/EmpowerIDWebServices/SecureService.svc
These entries can be generated by navigating to each service URL in a Web browser or by manually adding Trust URIs for each in Workflow Studio. For general information on adding Trust URIs in Workflow Studio within the context of this topic, see Trusted EndPoint for any DNS aliases.
ClientAuthCertificate - Specifies the certificate that SharePoint uses to authenticate to the EmpowerID Web services. The public key for this certificate must be installed on the EmpowerID Web Role server.
Every SharePoint service account needs to have access to the private key of this certificate. This includes all application pool identities on the SharePoint server, as well as all SharePoint service application service accounts.
- FederationCertificate - Specifies the EmpowerID federation certificate. The public key for this certificate must be installed on the SharePoint server.
- APILogExceptionsPath - Specifies the folder path to log hidden exceptions. This is only used for diagnosis.
- ExcludedWebApplications - Specifies a list of Web application URLs to exclude from the UserInfo table sync.
- SPServerSSLCertificate - Specifies the SSL certificate on the SharePoint server. The public key for the certificate must be installed on the EmpowerID Web Role server.
- The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool on each SharePoint server must be changed from NetworkService to an identity that has the following rights:
- Local administrator
- Farm admin within SharePoint
- Web application policy user within SharePoint for each site collection configured for EmpowerID claims augmentation
- DBO permissions to the Content Databases, Central Admin databases and EmpowerID database
- The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool must be registered as the User Profile Service application
- The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool must be registered as a Managed Account
- Open the SharePoint 20XX Web Services folder you received from EmpowerID and double-click the SharePoint 20XX Web Services X.X.X.X file in the folder to open the EmpowerID SharePoint 20XX Web Services Setup installer.
- Accept the terms of license agreement and then click Next to continue.
- Select the installation path and click Next to continue.
- Click Install.
- Click Finish to close the installer.
- From the MMC Certificates snap-in of your SharePoint server, navigate to the Personal Certificates store.
- From the Personal Certificates store, right-click the client certificate and select All Tasks > Export from the context menu.
- In the Certificate Export Wizard that appears, click Next.
- Select Yes, export the private key and click Next.
- Select Personal Information Exchange - PKCS #12 (.PFX) and click Next.
- Click Browse, navigate to an appropriate place on the EmpowerID server in which to save the certificate, type a name for the certificate in the File name field and then click Save.
- Back in the Certificate Export Wizard, click Next and then click Finish.
- Click OK to close the certificate export message.
- On the EmpowerID Web Role server, locate the certificate you just exported, right-click it and select Install Certificate from the context menu.
- In the Certificate Import Wizard that appears, select Local Machine and then click Next.
- Select Place all certificates in the following store, click Browse, select Personal and then click OK.
- Copy the client certificate from the Personal Certificates store to the Trusted Root Certification Authorities Certificates store.
- Repeat the process for the SSL certificate, this time exporting it without the private key as a DER encoded binary X.509 (.CER). See the note below before proceeding.
This is only necessary if you are not using the EmpowerID SSL certificate as shown above.
- From the MMC Certificates snap-in of your EmpowerID server, navigate to the Personal Certificates store.
- From the Personal Certificates store, right-click the client certificate and select All Tasks > Export from the context menu.
- In the Certificate Export Wizard that appears, click Next.
- Select No, do not export the private key and click Next.
- Select DER encoded binary X.509 (.CER) and click Next.
- Click Browse, navigate to an appropriate place on the SharePoint server in which to save the certificate, type a name for the certificate in the File name field and then click Save.
- Back in the Certificate Export Wizard, click Next and then click Finish.
- Click OK to close the certificate export message.
- On the SharePoint server, locate the certificate you just exported, right-click it and select Install Certificate from the context menu.
- In the Certificate Import Wizard that appears, select Local Machine and then click Next.
- Select Place all certificates in the following store, click Browse, select Personal and then click OK.
- Copy the client certificate from the Personal Certificates store to the Trusted Root Certification Authorities Certificates store.
- Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\TheDotNetFactory\EmpowerID\Federation.
- From the Value pane of the Federation key, right-click each of the following names, select Modify from the context menu, type a path in the Value data field of the Edit String dialog and then click OK:
- APILogExceptionsPath
- ClientAuthCertificate
- EmpowerIDServerFQDN
- FederationCertificate
- SPServerSSLCertificate
- Ensure that SPVersion reflects the correct version of SharePoint.
After setting the above, the Federation key looks similar to this image.
- On the SharePoint server, open IIS Manager and click the Application Pools node in the Connections tree.
- From the Applications Pools page, locate and right-click the EmpowerIDSharePoint20XX application pool and select Advanced Settings from the context menu.
- In the Advanced Settings dialog that appears, click the Identity property under Process Model and then click the ellipsis button to the right of the identity.
- In the Application Pool Identity dialog that appears, select Custom account and then click the Set button.
- In the Set Credentials dialog that appears, enter the credentials for the Web Role Service account and then click OK to close the Set Credentials dialog.
- Click OK to close the Application Pool Identity dialog.
- Click OK to close the Advanced Settings dialog.
- Log in to the SharePoint server and go to Server Manager.
- From Server Manager, navigate to Configuration > Local Users and Groups > Groups > Administrators.
- Right-click Administrators and select Add to Group from the context menu.
- In the Administrators Properties window that appears, click the Add button.
- In the Select Users, Computers, Service Accounts, or Groups window that appears, add the Web Role Service account and click OK.
- From the SharePoint server, open the SharePoint Central Administration Web application.
- In Central Administration, click the Security link and then click Manage the farm administrators group under the Users section.
- From the Farm Administrators page, click the New link.
- Enter the account user name for the Web Role Service and then click OK or Share depending on your version of SharePoint.
- From Central Administration, click the Security link and then click Specify web application user policy under Users.
- On the Policy for Web Application page, click the Add Users button.
- Select the web application and click Next.
- In the Users text field, enter the account user name for the Web Role Service and then select Full Control for the permissions level.
- Click Finish.
- Open SQL Server Management Studio.
- In Object Explorer, expand Security > Logins, right-click the specific User, select Properties from the context menu, and then do one of the following:
- sysadmin Server Role- Click the Server Roles tab and select sysadmin.
- db_owner User Mapping- Click the User Mapping tab, select all SharePoint databases related to the target farm (SharePoint_Config, SharePoint_AdminContent_, User Profile Service Application_ProfileDB_, and _Content) and then select db_owner.
- Open Central Administration.
- In Central Administration, select Application Management and then click Manage service applications under Service Applications.
- Click the User Profile Service Application row (do not click the hyperlink) and then click Properties in the ribbon across the top.
- Ensure the Application Pool listed has the same identity as the EmpowerID SharePoint Web Services application pool.
- Open Central Administration and select Security.
- Under General Security, click Configure managed accounts.
- Click Register Managed Account and enter the credentials for the service account.
Do not select Enable automatic password change.
Once you have met the above prerequisites, you can configure the federated trust between EmpowerID and your SharePoint farm.
Step 1 – Create a SharePoint account store in EmpowerID
- On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.
- From the Actions pane, click Create Account Store.
- Search for and select Microsoft SharePoint as the System Type and then click Submit.
- In the SharePoint Settings page that appears, enter a Name, Display Name, and the Fully Qualified Name for the SharePoint account store and then click Submit.
Next, configure the SharePoint account store.
Step 2 - Configure the SharePoint account store
- From the Account Stores page, search for the SharePoint account store you just created and click the Account Store link returned to the grid.
This directs you to the Account Store Details page. This page allow you to edit the account store and associated resource system settings as needed. - From the Account Store Details page, click the pencil icon to put the account store in edit mode.
- From the Settings tab of the Account Store Details edit page, do the following:
- Select Allow Provisioning (By RET) if you want EmpowerID to create a Profile record in the SharePoint Profile store. This record is owned by a Person and is used to flow attribute changes to and from the SharePoint Profile record.
- Select Allow Deprovisioning (By RET) if you want EmpowerID to delete the Profile record in the SharePoint Profile store when the corresponding EmpowerID Person is deprovisioned or loses this RET policy. SharePoint Profiles exist in a One-to-One relationship with Person objects in EmpowerID.
- Select Allow Account Creation On Membership Request to allow users without accounts to request group membership and automatically have an account created.
- From the Enforcement tab, select Rights Enforcement Enabled and then select the appropriate type of enforcement from the Enforcement Type drop-down.When selecting an enforcement type, you have the following options:
- No Action — No rights enforcement action occurs.
- Projection with No Enforcement — Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native SharePoint environment.
- Projection with Enforcement — Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native SharePoint environment. This is the default setting.
Projection with Strict Enforcement — EmpowerID overrides any changes made in the native SharePoint environment. All changes made must occur within EmpowerID to be accepted. Strict Enforcement only applies to SharePoint Groups.
EmpowerID inventories SharePoint groups and enforcement adds one EmpowerID claim as a member of each group. The claim has the same name as the group with a GUID as the unique identifier. Getting access to the member Resource Role in EmpowerID means that this SharePoint group membership is added as a claim to the login token. SharePoint sees from the token that the member has a claim which is a member of this group.
- Click
- In the SharePoint Group Enforcement pane of the Account Store Details screen, toggle the Enable this Functionality button from red sphere to a green check box to enable SharePoint Group Claim Enforcement to occur.
Next, we need to add the SharePoint configuration settings to each SharePoint Resource System EmpowerID created for each connected SharePoint server.
To add the SharePoint configuration settings
- In Configuration Manager, click the Resource Systems tree node and then double-click the SharePoint Resource System or right-click it and select Edit from the context menu.
- Click the Settings tab in the SharePoint Resource System screen.
- Click Add New and then do the following:
- Type SPVersion in the Name field.
- Type your SharePoint version (2013 or 2016) in the Value field.
- Click Save.
- Click Add New again and then do the following:
- Type SPServerFQDN in the Name field.
- Type the fully qualified domain name of your SharePoint server in the Value field.
- Click Save.
- Click Add New again and then do the following:
- Type SPServerClientCertificate in the Name field.
- Type the thumbprint of the client certificate in the Value field. This is the SharePoint server certificate that EmpowerID uses to authenticate to the SharePoint Web services.
- Click Save.
- Click Add New again and then do the following:
- Type SPServerSSLCertificate in the Name field.
- Type the thumbprint of the SSL certificate in the Value field. This is the SharePoint SSL certificate that EmpowerID uses to create the endpoint identity for the SharePoint Web services.
- Click Save.
When you have completed the above, you have four Name/Value pairs that look similar to the below image. The Names must be identical to those depicted, while the Values may differ accordingly.
Next, we need to add the SharePoint certificates to the EmpowerID Certificate store. We demonstrate this in the section below.
Step 3 – Add the SharePoint Certificates to EmpowerID
- In Configuration Manager, expand the EmpowerID Servers and Role node in the application navigation tree and then click the Manage Certificates node.
- Click the Add New button located above the Certificates grid and select From Local Store from the context menu.
- In the Windows Security dialog that appears, select the SharePoint SSL certificate you exported earlier, click OK and then click No when asked if the certificate requires a password. If you are using the EmpowerID SSL/STS certificate for your SharePoint server you can skip to step 5 below.
- Click Add New again and select From Local Store.
- In the Windows Security dialog that appears, select the SharePoint client certificate you exported earlier, click OK and then click Yes when asked if the certificate requires a password.
- Type the password for the certificate and then click OK.
Next, we need to map the SharePoint client certificate to an EmpowerID Person. Because the SharePoint Web services are claims-based, EmpowerID uses this Person to access those services. Create a new Person account strictly for this purpose.
Step 4 – Map the SharePoint Client Certificate to an EmpowerID Person
- Log in to the EmpowerID Web application as an administrator.
- From the Navigation Sidebar, expand Identities and click People.
- In the Actions pane, click the Create Person Advanced link.
- Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as a claims identity for the SharePoint Web service, you should name it accordingly. In our example, we are naming the Person "SharePoint Person Service Account."
- Specify a login in the Login field. (This user should never have to log in to EmpowerID.)
- Underneath Primary Business Role and Location, click Select a Role and Location.
- In the Business Role pane of the Business Role and Location selector that appears, type Temp, press ENTER and then click Temporary Role to select it.
- Click the Location tab to open the Location pane and then type Temp, press ENTER and click Temporary Role to select it.
- Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.
- Type All Access in the Management Role field and then click the tile for that role to select it.
- Click Save to create the EmpowerID Person.
- Once EmpowerID creates the person, navigate back to Person Manager by clicking the Find People breadcrumb at the top of the page.
- In Person Manager, search for the person you just created and then click the EmpowerID Login link for that person.
This directs you to the View One page for the person. View One pages allow you to view details about an object in EmpowerID and make changes to those objects as needed. - From the View One page for the person, expand the Editable Multivalued Fields accordion and then click the Edit link in the Mapped Login Certificates pane.
- Search for the SharePoint client certificate and then click the tile for the certificate to select it.
- Click the Save link.
Next, we need to create a WS Federation Connection for SharePoint in EmpowerID. We demonstrate this in the section below.
Step 5 – Create a WS-Fed Connection for SharePoint
- From the Configuration Manager application tree, expand the Federation > WS-Federation nodes and then click WS-Federation Connections.
- Click the Add New button located above the Configuration Manager grid. In the WS-Federation Single Sign-On Details screen that appears, do the following:
- Type a name for the WS-Federation connection in the Name field.
- Type a description for the WS-Federation connection in the Description field.
- Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name in the Map to Account Claim Type field.
- Type ~/Resources/Content/Images/Logos/EmpowerIDDark.png in the Image field.
- Select EmpowerID from the Account Store drop-down list.
The screen looks similar to the following image.
- Click Save.
Next, we need to configure a federated trust between the EmpowerID Security Token Service (STS) and your SharePoint.
Step 6 – Configure a federated trust between EmpowerID and SharePoint
Log in to Workflow Studio as an administrative user and from Solution Explorer, click the SharePoint tab to view the SharePoint resource system you just added to EmpowerID.
The following steps need to be performed once for each SharePoint farm in your environment.
Click the node for your SharePoint system and wait for Workflow Studio to load your SharePoint sites.
You should now see your sites in the SharePoint tree under your SharePoint resource system.If your SharePoint sites do not appear in the SharePoint tree, ensure that the SharePoint Management Web Service is enabled on at least one EmpowerID Web Role server and that the SharePoint Agent Server is set on the SharePoint Account Store Details screen.
- From the SharePoint tree, expand the node for your SharePoint site and then right-click your SharePoint Site Collection URL and select Enable SignIn/SignOut with Federation Trust from the context menu.
- Click Yes to confirm that you want to proceed with the overwrite.
- Right-click your SharePoint site collection URL again and select Register Federation Trust Claims Provider from the context menu.
- Click Yes to confirm you want to register the EmpowerID SharePoint Claims Provider.
- Click OK to close the Success message box.
- From the SharePoint tree, right-click your SharePoint site URL again and select Configure Security Token Service Federation Trust from the context menu.
- In the Federation Trust wizard that appears, click Next.
- Select the STS certificate and the Root Authority certificate and then click Next. (This is the Server certificate and the CA for that certificate configured for each EmpowerID Service.)
- Verify that the values for Identity Provider, Passive STS, Service Provider Connection and Realm are correct and click Next. The following image shows what the wizard looks like with the above values entered for our environment.
- Click Next to complete the registration.
- Select the STS certificate and the Root Authority certificate and then click Next. (This is the Server certificate and the CA for that certificate configured for each EmpowerID Service.)
- From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.
- From Central Administration, click Security section and then click the Manage Trust link underneath General Security.
You should see EmpowerID listed as a Trusted Service Provider. - Click the EmpowerID link to select it and then click the Edit button in the Trust Relationships ribbon.
- In the Establish Trust Relationship dialog that appears, verify the following and then click OK to close the dialog.
- The Root Certificate thumbprint matches the STS root or STS intermediate certificate used in Step 10.
- The Security Token Service (STS) certificate thumbprint matches the STS certificate used in Step 10.
- (Optional) - If the STS certificate used in Step 10 chains to a root certificate that has not yet been added to the SharePoint certificate store, return to the Trust Relationships page and click New.
In the Establish Trust Relationship dialog that appears, type a name of your choosing in the Name field and then click the Browse button under Root Authority Certificate. - Browse the file system and select the certificate that serves as the root certificate in the STS certificate chain and click OK.
- Click OK to close the Establish Trust Relationship dialog.
Now that the federated trust has been configured, you can convert your SharePoint sites from Windows Auth to Claims-based. We demonstrate this below.
Step 7 – Convert existing SharePoint sites to Claims Auth
The following steps need to be performed for each SharePoint web application that you wish to use Claims-based Authentication
- In Workflow Studio, right-click the root SharePoint site collection of the SharePoint web application that you wish to convert from Windows authentication to claims-based and select Use Claims-based Authentication Provider from the context menu.
- Click Yes to confirm you want to use EmpowerID as a claims-based authentication provider for the site collection.
- Click OK to close the Success message box.
- Back in the SharePoint tree of Workflow Studio, right-click the SharePoint site collection and select Recycle Web Server (IIS Reset) to Reset IIS one more time.
- Click Yes to reset IIS.
- Click OK to close the IIS reset completed message box.
- From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.
- In the SharePoint Central Administration page that appears, under the Application Management section, click Manage web applications.
- In the Web Applications Management page that appears, click the SharePoint web application you are federating with EmpowerID and then click the Authentication Providers button in the ribbon.
- In the Authentication Providers dialog that appears, click the desired SharePoint zone for the SharePoint web application you are federating with EmpowerID.
- In the Edit Authentication page that appears, scroll to the Claims Authentication Types pane, select Trusted Identity Provider and then select EmpowerID.
Scroll down to the bottom of the Edit Authentication page and click Save.
The following steps need to be performed for each SharePoint site collection that resides within a SharePoint web application that uses Claims-based Authentication.
- From Central Administration, click Application Management and then click Change site collection administrators under Site Collections.
- In the Site Collection Administrators page, click the Browse button to the right of the Secondary site collection administrator field.
- In the Select People dialog that appears, click the People node under the EmpowerID Identity Provider node and then click EmpowerID Built-In Administrator. This is necessary to allow the EmpowerID Administrator the ability to log in to the SharePoint site to set permissions for your EmpowerID users once the site has been converted.
Click OK to close the Select People dialog and then click OK to close the Site Collection Administrators page.
The following steps need to be performed for each SharePoint server that services the web application being federated
From the SharePoint tree of Workflow Studio, right-click the SharePoint site again and select Configure Web.Config for Security Token Service Federation Trust from the context menu.
Make a backup of the Web config file before proceeding with the steps below.
In the EmpowerID STS SharePoint Web.Config Configuration dialog that appears, do the following:
- Ensure the Site Collection, Passive STS, and Realm fields are populated correctly. If any are incorrect, add the correct values.
- Select the Relying Party certificate from the Relying Party Certificate drop-down. (This is the same Server certificate configured for each EmpowerID Service.)
- Click the Web.Config button (...) and type the path to the Web.config file for your SharePoint site in the dialog. By default, this file is located at "\\servername\c$\inetpub\wwwroot\wss\VirtualDirectories\".
- Ensure that both the Passive STS Require STS and Create Federation Trust with EmpowerID based on the RP certificate, Realm and Site Collection if one does not already exist options are selected.
- Ensure that the Realm value is the FQDN of your SharePoint server and/or load balancer with /_trust appended.
The EmpowerID STS SharePoint Web.Config Configuration dialog looks similar to the following image:
- Click the Update Web.Config button.
- Click Yes in the Confirmation message box.
- Click OK to close the Success message box.
Step 8 – Configure a Trusted Endpoint for a DNS alias
- If you have an external DNS alias for your SharePoint site, log in to Workflow Studio and click the Application Menu, click the Management Tools link and then click Trusted EndPoint Configuration.
- On the Trusted EndPoint Configuration tab, on the right hand side under Certificates, right click your certificate and choose Add New Trust URI.
- Enter the external DNS alias of your SharePoint environment appended with /_trust and click OK.
Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you need to turn on inventory and enable SharePoint Group Enforcement claims in EmpowerID. We demonstrate this below.
Step 9 – Enable inventory and claims enforcement
- Return to the SharePoint Account Store Details screen in the EmpowerID Management Console.
- In the Inventory pane of the SharePoint Account Store Details screen, toggle the Enable Inventory button from a red sphere to a green check box to enable EmpowerID to inventory your SharePoint objects.
- In the SharePoint Group Claim Enforcement pane of the SharePoint Account Store Details screen, toggle the Enable this Functionality button from red sphere to a green check box to enable SharePoint Group Claim Enforcement to occur.
Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you can (optionally) grant permissions to your EmpowerID users for SharePoint access. We demonstrate this below by granting all EmpowerID Business Roles membership to the Viewers SharePoint group.
Step 10 – Grant SharePoint permissions to EmpowerID users
- From Workflow Studio, right-click the SharePoint Site and select Grant Business Role and Location Permission to SharePoint Group from the context menu.
- In the Business Role and Location Selector that opens, select the desired Business Role from the Business Roles tree and the desired location from the Locations tree and then click OK. In our example, we have selected Any Role in Anywhere.
- In the Grant Business Role and Location Permission dialog that appears, select the desired SharePoint group(s) from the lower pane and then click OK.
- Click Yes to confirm your decision.
Your EmpowerID users should now be able to log in to the SharePoint site using EmpowerID as the claims provider. You can test this by navigating to the SharePoint site from your browser. You are redirected to the EmpowerIDWebIdPWSFederation application, where you are prompted to enter your EmpowerID credentials. - Enter your credentials and click Login. You are authenticated in EmpowerID and redirected to the SharePoint site.
If you have customized SharePoint master pages for any Web application, you must add the Any Role in Anywhere Business Role and Location to the User Policy for that Web application; otherwise, SharePoint will deny your EmpowerID users access to your SharePoint sites.
- From Workflow Studio, right-click the SharePoint Site and select Apply EmpowerID Any Role in Anywhere Policies from the context menu.
- Make sure that the Any Role and Anywhere nodes are selected in the Business Role and Location Selector OK.