The procedures in this article describe how to configure AD FS to act as an Identity Provider Security Token Service (IP-STS) for a SharePoint 2013 web application and Provider Hosted APP (SharePoint Add-In). In this configuration, AD FS issues SAML-based security tokens consisting of claims so that client computers can access web applications that use claims-based authentication. You can use an alternative identity provider than AD FS, but it must support the WS-Federation standard.
Have a brief view on the major benefits of using AD FS in SharePoint solution:
- Web single sign-on (SSO) – Federated Partners outside the organization can access organization’s Web-based applications, with Web SSO, an extensive feature of AD FS.
- Partner user account management not required – Free from tiresome process of resetting and maintaining partner’s credentials. Also, if partnership terminates, the procedure can be performed with a single trust policy change.
- AD FS Microsoft Management Console (MMC) – Core and centralized part of ADFS to perform management activities for Federal Partners.
- Extensible architecture – This is more beneficial at times of claim processing. Claim processing and mapping comprises of adding and modifying claims by using business logics and AD FS trust policy.
Steps below present the technique to configure the Single Sign on between Provider Hosted App based on SharePoint Development on SharePoint Server.
(Prerequisite: SQL Server 2008/2012 must be installed.)
Follow below steps to configure ADFS:
- Click on “Add role and features” from server manager.
- In the respective wizard, select the options mentioned below and click on Next
- Installation Type screen.
- On Sever Selection screen, click on Select a server from the server pool
- On Server Roles screen, click on Active Directory Certificates Services, Active Directory Domain Services and Active Directory Federation Services.
- On Features screen, click on features based on requirements
- Click on AD FS. Then further, Click on Next for AD CS
- On Role Services screen, click on Certification Authority for Domain Certificate
- AD DS screen will be available
- On Confirmation screen, click on Install.
If all the above steps are sequentially performed, then it will successfully install. After installation, configure it as follows (Note: All services should be configured without an error as below & green colour showing configuration done successfully)
- On Server Manager Dashboard, Click on AD FS
- Click on More link display in yellow ribbon for Configuration AD FS
- Click on Configure
- After clicking on Next follow the wizard sequentially and opt the options accordingly,
- Select Create the first federation server in a federation server farm
- Click on Change button to select user on Connect to AD DS screen.
- On Specify Service Properties screen, select Domain Certificate from drop down list and enter Federation Service Name and Federation Service Display Name.
- On Specify Service Account screen, select Use an existing domain user account or group managed service account. Here, mainly specify service configuration is done.
After performing each step, Specify Service Account will be seen.
- On Specify Service Account screen, enter correct password in Account Password text box.
- Click on Next On Specify Database screen, select Create a database on this server using Windows Internal Database
- Click on Next On Review options screen, you can view that the database is created successfully.
- Click on Next On Pre-requisite checks screen, check that pre-requisite is configured properly and click on Configure.
- To check its configured properly or not open below URL: https://<<FQDN>>/adfs/ls/IdpInitiatedSignon.aspx
- Enter valid credentials and click on Sign in button.
- It will show Log Out screen.
- Click on Sign Out to sign out successfully.
After performing above mentioned, proceed ahead for provider hosted app creation.
Provider Hosted APP (SharePoint Add-In) Creation Demo
Registering APP in SharePoint Server and Hosting App in another Non-SharePoint Server. Follow below steps to register app:
Create Register id from SharePoint 2013 site: –
- Open created developer site in browser
- Append _layouts/15/appregnew.aspx text in browser as below image
- Click on Generate button of App Id (code will automatically generate in textbox)
- Click on Generate button App Secret (code will automatically generate in textbox)
- Please fill remaining field (here you can change your domain name)
- Click on OK button.
- All id will be displayed as below image
- Copy all id and saved it notepad file. (This id will be changed in project’s web.config file)
Need to create Provider Hosted App in Visual Studio 2012 or later. After creating it, publish the Provider hosted app then follow step 3 to host app in IIS and update app keys into the web.config file.
Create web application in IIS
- Open run command and type inetmgr or open IIS
- Right click on sites and select Add website
- Fill the form as below and click on OK button:
ADFS Relying Party Demo – Provider Hosted APP
Configuration provider hosted app URL in ADFS allows to Single Sign On and pass the token from SharePoint Site. Follow below steps to configure ADFS for Provider Hosted APP Site which is in another non- SharePoint Server or Domain.
Follow below steps to relying party demo:
- Add relying party and click on Start
- On Select Data Source, select Enter data about the relying party manually
- By clicking on Next, follow the hierarchy of steps:
- On Specify Display Name, enter Display Name
- On Choose Profile select AD FS Profile. Click Next
- On Configure URL tick on Enable support for the WS-Federation Passive protocol and enter Passive Protocol URL: (https://ProivderHostedURL/_trust/)
- Click Next On Configure Identifiers add URN
- On Configure Multi-Factor Authentication Now? Select I don’t want to configure multi-factor authentication settings for this replying party trust at this time.
- On Choose Issuance Authorization Rules, select permit all users to access this replying party.
- Click Next. It will automatically open Choose Rule Type On that in Claim Rule Template, select Send LDAP attributes as Claims
- On Configure Claim Rule screen, add configure rules are mentioned below: Order requires to be as follows
- Click Finish. It will automatically prompt the below screen. If not, right click on ADFS, and click on Properties. Click on Advance in Properties option and select SHA-1 search hash algorithm. Click OK
Single Sign on Configuration for App and Server
Step 1 – Single Sign On Configuration for Server
It is a PowerShell Script to establish ADFS Server and SharePoint Server Connection. Below highlighted point will help SharePoint Server to communicate with on-premises Server (where ADFS is configured) which is in another Server or Domain and it will pass token to SharePoint Server to on-premises Server. Basically, this scenario called as Single Sign On Configuration. Open PowerShell command window and execute the below code:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\Certificate.cer")
New-SPTrustedRootAuthority -Name "Token Signing Certificate ADFS Demo" -Certificate $cert
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
$realm = "urn:sharepoint:demo"
#Sign-in URL will be ADFS Server instance
#Create new trusted identity token issuer
$issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFSDemo" -Description "ADFS Trusted Identity Provider Demo" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap -SignInUrl $signInURL -IdentifierClaim $upnClaimMap.InputClaimType
(NOTE : The C:\Certs\Certificate.cer is the same certificate which is created in ADFS Relying Party for SharePoint Site in ADFS Server Step 14)
[ C:\Certs\Certificate.cer, urn:sharepoint:demo, https://abc. domain.com/adfs/ls, ADFSDemo and ADFS Trusted Identity Provider Demo need to be replaced based on user’s configuration. ]
Perform the below mentioned steps:
- Register SharePoint Site with URN in SharePoint Server:
[sp13-012:31418 and urn:sharepoint:sharepointsite require to be replaced based on user’s configuration. ]
- Register Provider Hosted Site with URN in SharePoint Server:
$t.ProviderRealms.Add($uri, "urn:sharepoint:localhost ")
[localhost:7443 and urn:sharepoint:localhost require to be replaced based on user’s configuration. ]
- Go to central admin and select Trust Identity Provider:
Get Client Context object for Provider Hosted APP in APP Part:
- Select APP Part and got to property or Press F4:
- Add Custom Property as below in Provider Hosted Solution:
- Add Property as follows:
- Get user client context using below code:
using (ClientContext clientContext = SharePointContextProvider.Current.GetSharePointContext(Context).CreateAppOnlyClientContextForSPHost())
List oList = clientContext.Web.Lists.GetByTitle("Contact");
If(Request.QueryString["UserName"] != null)
string strUserEmail = Convert.ToString((Request.QueryString["UserName"]));
strUserEmail += “@Domain.com” // use domain
ListItemCreationInformation itemCreateInfo = new ListItemCreationInformation();
Microsoft.SharePoint.Client.ListItem oListItem = oList.AddItem(itemCreateInfo);
User user = clientContext.Web.EnsureUser(strUserEmail);
" + user.LoginName + "
"); oListItem["Title"] = "Test"; oListItem["Author"] = user; oListItem["Editor"] = user; oListItem.Update(); clientContext.ExecuteQuery(); } }
- Publish your project and add as web part and URL as follow:
AD FS being standards-based service allows the secure sharing of identity information between trusted business partners or federated partners across an extranet. In simple words, AD FS is an easy way out of remembering credentials and following multiple times same authentication steps to sign-on in the same web solution.