/
Federating SharePoint with EmpowerID

You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Federating SharePoint with EmpowerID

Feb 07, 2023

In an environment with Microsoft SharePoint, you can configure EmpowerID as a claims-based authentication provider for your SharePoint farm. Using EmpowerID in this way allows you to extend EmpowerID's RBAC model to your corporate SharePoint environment, giving you greater flexibility and control over how you assign user's access. Before configuring EmpowerID as a SharePoint claims provider, the following prerequisites must be met:   

Prerequisites

 

  • A network reachable EmpowerID Web Role server (over port 443) must be configured for SSL and SAML SSO Claims.

  • The EmpowerID SharePoint 2013 Web Services package (for SharePoint 2013) or EmpowerID SharePoint 2016 Web Services package (for SharePoint 2016) must be installed on all SharePoint servers in the farm. Doing so makes the following changes to the SharePoint servers:

    • It adds a new TheDotNetFactory key to the registry with EmpowerID and Federation subkeys.

    • It creates a new Web application, named either EmpowerIDWebService45 for SharePoint 2013) or EmpowerIDWebService4516 (for SharePoint 2016), and an application pool, named either EmpowerIDSharePoint2013 or EmpowerIDSharePoint2016, for that application in IIS.

    • It adds the EmpowerID.BPM.SharePoint.EventReceiver2013 (for SharePoint 2013) or EmpowerID.BPM.SharePoint.EventReceiver2016 (for SharePoint 2016) assembly to the GAC.

  • The public key of the SharePoint SSL certificate and the private key of the client certificate must be exported to the EmpowerID Web Role server.

  • The public key and root of the EmpowerID federation (STS) certificate must be exported to each SharePoint server in the farm. This allows SharePoint to authenticate itself to EmpowerID.

  • The EmpowerID > Federation key of each SharePoint server in the farm must have its values configured for EmpowerID. These Federation key values include the following:

    • SPVersion - Specifies the version of SharePoint.

    • EmpowerIDServerFQDN Specifies the fully qualified name of the EmpowerID Web Role server.

    • ClientAuthCertificate Specifies the certificate that SharePoint uses to authenticate to the EmpowerID Web services. The public key for this certificate must be installed on the EmpowerID Web Role server.

    • FederationCertificate Specifies the EmpowerID federation certificate. The public key for this certificate must be installed on the SharePoint server.

    • APILogExceptionsPath Specifies the folder path to log hidden exceptions. This is only used for diagnosis.

    • ExcludedWebApplicationsSpecifies a list of Web application URLs to exclude from the UserInfo table sync.

    • SPServerSSLCertificate - Specifies the SSL certificate on the SharePoint server. The public key for the certificate must be installed on the EmpowerID Web Role server.

  • The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool on each SharePoint server must be changed from NetworkService to an identity that has the following rights:

    • Local administrator

    • Farm admin within SharePoint

    • Web application policy user within SharePoint for each site collection configured for EmpowerID claims augmentation

    • DBO permissions to the Content Databases, Central Admin databases and EmpowerID database

  • The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool must be registered as the User Profile Service application

  • The identity associated with the EmpowerIDSharePoint2013 (for SharePoint 2013) or the EmpowerIDSharePoint2016 (for SharePoint 2016) application pool must be registered as a Managed Account

Once you have met the above prerequisites, you can configure the federated trust between EmpowerID and your SharePoint farm.

Step 1 – Create a SharePoint account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

  2. From the Actions pane, click Create Account Store.



  3. Search for and select Microsoft SharePoint as the System Type and then click Submit



  4. In the SharePoint Settings page that appears, enter a Name, Display Name, and the Fully Qualified Name for the SharePoint account store and then click Submit.

Next, configure the SharePoint account store.

Step 2 - Configure the SharePoint account store

  1. From the Account Stores page, search for the SharePoint account store you just created and click the Account Store link returned to the grid.


     
    This directs you to the Account Store Details page. This page allow you to edit the account store and associated resource system settings as needed.


  2. From the Account Store Details page, click the pencil icon to put the account store in edit mode.



  3. From the Settings tab of the Account Store Details edit page, do the following:

    1. Select Allow Provisioning (By RET) if you want EmpowerID to create a Profile record in the SharePoint Profile store. This record is owned by a Person and is used to flow attribute changes to and from the SharePoint Profile record.

    2. Select Allow Deprovisioning (By RET) if you want EmpowerID to delete the Profile record in the SharePoint Profile store when the corresponding EmpowerID Person is deprovisioned or loses this RET policy. SharePoint Profiles exist in a One-to-One relationship with Person objects in EmpowerID.

    3. Select Allow Account Creation On Membership Request to allow users without accounts to request group membership and automatically have an account created.

  4. From the Enforcement tab, select Rights Enforcement Enabled and then select the appropriate type of enforcement from the Enforcement Type drop-down.When selecting an enforcement type, you have the following options:

    • No Action — No rights enforcement action occurs.

    • Projection with No Enforcement — Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native SharePoint environment.

    • Projection with Enforcement — Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native SharePoint environment. This is the default setting.

    • Projection with Strict Enforcement — EmpowerID overrides any changes made in the native SharePoint environment. All changes made must occur within EmpowerID to be accepted. Strict Enforcement only applies to SharePoint Groups.

  5. Click 

  6. In the SharePoint Group Enforcement pane of the Account Store Details screen, toggle the Enable this Functionality button from red sphere to a green check box to enable SharePoint Group Claim Enforcement to occur.

Next, we need to add the SharePoint configuration settings to each SharePoint Resource System EmpowerID created for each connected SharePoint server.

To add the SharePoint configuration settings

  1. In Configuration Manager, click the Resource Systems tree node and then double-click the SharePoint Resource System or right-click it and select Edit from the context menu. 



  2. Click the Settings tab in the SharePoint Resource System screen. 



  3. Click Add New and then do the following:

    1. Type SPVersion in the Name field.

    2. Type your SharePoint version (2013 or 2016) in the Value field.

    3. Click Save.

  4. Click Add New again and then do the following:

    1. Type SPServerFQDN in the Name field.

    2. Type the fully qualified domain name of your SharePoint server in the Value field.

    3. Click Save.

  5. Click Add New again and then do the following:

    1. Type SPServerClientCertificate in the Name field.

    2. Type the thumbprint of the client certificate in the Value field. This is the SharePoint server certificate that EmpowerID uses to authenticate to the SharePoint Web services.

    3. Click Save.

  6. Click Add New again and then do the following:

    1. Type SPServerSSLCertificate in the Name field.

    2. Type the thumbprint of the SSL certificate in the Value field. This is the SharePoint SSL certificate that EmpowerID uses to create the endpoint identity for the SharePoint Web services.

    3. Click Save.

When you have completed the above, you have four Name/Value pairs that look similar to the below image. The Names must be identical to those depicted, while the Values may differ accordingly.

Next, we need to add the SharePoint certificates to the EmpowerID Certificate store. We demonstrate this in the section below.

 

Step 3 – Add the SharePoint Certificates to EmpowerID

  1. In Configuration Manager, expand the EmpowerID Servers and Role node in the application navigation tree and then click the Manage Certificates node.

  2. Click the Add New button located above the Certificates grid and select From Local Store from the context menu.



  3. In the Windows Security dialog that appears, select the SharePoint SSL certificate you exported earlier, click OK and then click No when asked if the certificate requires a password. If you are using the EmpowerID SSL/STS certificate for your SharePoint server you can skip to step 5 below.

  4. Click Add New again and select From Local Store.

  5. In the Windows Security dialog that appears, select the SharePoint client certificate you exported earlier, click OK and then click Yes when asked if the certificate requires a password.

  6. Type the password for the certificate and then click OK.

 

Next, we need to map the SharePoint client certificate to an EmpowerID Person. Because the SharePoint Web services are claims-based, EmpowerID uses this Person to access those services. Create a new Person account strictly for this purpose.

 

Step 4 – Map the SharePoint Client Certificate to an EmpowerID Person

  1. Log in to the EmpowerID Web application as an administrator.

  2. From the Navigation Sidebar, expand Identities and click People.



  3. In the Actions pane, click the Create Person Advanced link.

  4. Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as a claims identity for the SharePoint Web service, you should name it accordingly. In our example, we are naming the Person "SharePoint Person Service Account."

  5. Specify a login in the Login field. (This user should never have to log in to EmpowerID.)

  6. Underneath Primary Business Role and Location, click Select a Role and Location.

  7. In the Business Role pane of the Business Role and Location selector that appears, type Temp, press ENTER and then click Temporary Role to select it.



  8. Click the Location tab to open the Location pane and then type Temp, press ENTER and click Temporary Role to select it.



  9. Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.

  10. Type All Access in the Management Role field and then click the tile for that role to select it.



  11. Click Save to create the EmpowerID Person.

  12. Once EmpowerID creates the person, navigate back to Person Manager by clicking the Find People breadcrumb at the top of the page.

  13. In Person Manager, search for the person you just created and then click the EmpowerID Login link for that person.



    This directs you to the View One page for the person. View One pages allow you to view details about an object in EmpowerID and make changes to those objects as needed.


  14. From the View One page for the person, expand the Editable Multivalued Fields accordion and then click the Edit link in the Mapped Login Certificates pane.



  15. Search for the SharePoint client certificate and then click the tile for the certificate to select it.



  16. Click the Save link.

 

Next, we need to create a WS Federation Connection for SharePoint in EmpowerID. We demonstrate this in the section below.

 

Step 5 – Create a WS-Fed Connection for SharePoint

  1. From the Configuration Manager application tree, expand the Federation > WS-Federation nodes and then click WS-Federation Connections.



  2. Click the Add New button located above the Configuration Manager grid. In the WS-Federation Single Sign-On Details screen that appears, do the following:

    1. Type a name for the WS-Federation connection in the Name field.

    2. Type a description for the WS-Federation connection in the Description field.

    3. Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name in the Map to Account Claim Type field.

    4. Type ~/Resources/Content/Images/Logos/EmpowerIDDark.png in the Image field.

    5. Select EmpowerID from the Account Store drop-down list.

      The screen looks similar to the following image.



  3. Click Save.

Next, we need to configure a federated trust between the EmpowerID Security Token Service (STS) and your SharePoint.

Step 6 – Configure a federated trust between EmpowerID and SharePoint

  1. Log in to Workflow Studio as an administrative user and from Solution Explorer, click the SharePoint tab to view the SharePoint resource system you just added to EmpowerID. 



  2. Click the node for your SharePoint system and wait for Workflow Studio to load your SharePoint sites.

    You should now see your sites in the SharePoint tree under your SharePoint resource system.

  3. From the SharePoint tree, expand the node for your SharePoint site and then right-click your SharePoint Site Collection URL and select Enable SignIn/SignOut with Federation Trust from the context menu.



  4. Click Yes to confirm that you want to proceed with the overwrite.

  5. Right-click your SharePoint site collection URL again and select Register Federation Trust Claims Provider from the context menu.



  6. Click Yes to confirm you want to register the EmpowerID SharePoint Claims Provider.

  7. Click OK to close the Success message box.

  8. From the SharePoint tree, right-click your SharePoint site URL again and select Configure Security Token Service Federation Trust from the context menu.



  9. In the Federation Trust wizard that appears, click Next.



    1. Select the STS certificate and the Root Authority certificate and then click Next. (This is the Server certificate and the CA for that certificate configured for each EmpowerID Service.)



    2. Verify that the values for Identity Provider, Passive STS, Service Provider Connection and Realm are correct and click Next. The following image shows what the wizard looks like with the above values entered for our environment.



    3. Click Next to complete the registration.

  10. From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.



  11. From Central Administration, click Security section and then click the Manage Trust link underneath General Security



    You should see EmpowerID listed as a Trusted Service Provider.

  12. Click the EmpowerID link to select it and then click the Edit button in the Trust Relationships ribbon.



  13. In the Establish Trust Relationship dialog that appears, verify the following and then click OK to close the dialog.

    • The Root Certificate thumbprint matches the STS root or STS intermediate certificate used in Step 10.

    • The Security Token Service (STS) certificate thumbprint matches the STS certificate used in Step 10.



  14. (Optional) - If the STS certificate used in Step 10 chains to a root certificate that has not yet been added to the SharePoint certificate store, return to the Trust Relationships page and click New



    In the Establish Trust Relationship dialog that appears, type a name of your choosing in the Name field and then click the Browse button under Root Authority Certificate.


  15. Browse the file system and select the certificate that serves as the root certificate in the STS certificate chain and click OK.

  16. Click OK to close the Establish Trust Relationship dialog.

Now that the federated trust has been configured, you can convert your SharePoint sites from Windows Auth to Claims-based. We demonstrate this below.

Step 7 – Convert existing SharePoint sites to Claims Auth

The following steps need to be performed for each SharePoint web application that you wish to use Claims-based Authentication

  1. In Workflow Studio, right-click the root SharePoint site collection of the SharePoint web application that you wish to convert from Windows authentication to claims-based and select Use Claims-based Authentication Provider from the context menu.



    1. Click Yes to confirm you want to use EmpowerID as a claims-based authentication provider for the site collection.

    2. Click OK to close the Success message box.

  2. Back in the SharePoint tree of Workflow Studio, right-click the SharePoint site collection and select Recycle Web Server (IIS Reset) to Reset IIS one more time.



    1. Click Yes to reset IIS.

    2. Click OK to close the IIS reset completed message box.

  3. From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.



  4. In the SharePoint Central Administration page that appears, under the Application Management section, click Manage web applications.



  5. In the Web Applications Management page that appears, click the SharePoint web application you are federating with EmpowerID and then click the Authentication Providers button in the ribbon.



  6. In the Authentication Providers dialog that appears, click the desired SharePoint zone for the SharePoint web application you are federating with EmpowerID.



  7. In the Edit Authentication page that appears, scroll to the Claims Authentication Types pane, select Trusted Identity Provider and then select EmpowerID.



  8. Scroll down to the bottom of the Edit Authentication page and click Save.