Canb anyone provide documentation or a high level approach for using identity server 3 with on-premise SharePoint 2013.
Currently windows active directory is integrated with SharePoint and basic FBA (form based authentication) is being used.
SharePoint 2013 natively supports claims based authentication via WS-Federation but not via OpenID Connect. This is typically used within the enterprise for federated authentication from ADFS into SharePoint.
IdentityServer 2 does support WS-Fed, whereas IdentityServer 3 does not straight out of the box. There is a WS-Fed plugin however - this should be considered option #1.
https://github.com/IdentityServer/IdentityServer3.WsFederation
Another option might be to wire up ADFS v3 between IdentityServer3 and SharePoint.
As a third alternative, I've set up our IdentityServer v2 instance as an IDP for SharePoint for a few customers - it's a pretty easy process following the Microsoft recipe, replacing the word "ADFS" for "IdSvr2" :)
https://technet.microsoft.com/en-us/library/hh305235.aspx?f=255&MSPPError=-2147217396
Related
I need help in authorization using ADFS claims, I have done with ADFS configuration on my windows server 2012 R2.
i have no idea what to do next.
My requirement is :
I have 2 sites which share resources I need if the user sign-in using one site then if he/she goes to the second site then the user needs to enter the credentials again but I want to skip this step
You need to configure both applications as Relying Parties in ADFS.
Both applications need to have a client side stack supporting either WS-Fed (WIF) or SAML 2.0.
If you used ADFS 2016, you could also use OpenID Connect.
That gives you SSO across both applications.
Have a problem: I am not able to find out a way to use MVC5 (VS 2013) application to use social media (Facebook, Google etc.) as IdPs using ACS. I want to use ACS.
I am not able to find anything on the internet. Any help would be appreciated.
I was wrong in my earlier answer. There's a way in VS 2013 to do that. When you create MVC 5 Application, choose Organizational Accounts and then choose On-Premises option. Enter the URL of the Federation Metadata URL (https://{youracsnamespace}.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml) in On-Premises Authority and your application URL in App ID URI and you should be good to go.
We have to HNSC https://division1.corp.com https://division2.corp.com on the same SPWebApplication using Claims and Forms Authentication. When logging in to https://division1.corp.com we should have access to https://division2.corp, but we get the logon dialog box again. The UserInformationList are synchronized between this HNSC. By looking at the cookie, they are different.
How shall we solve this?
SharePoint 2010 out of the box does not provide a way to share authentication between its own web applications. This is primarily because each application authenticates users independently and the cookies that it issues are marked with the HTTP Only flag. This means the cookie cannot be accessed by other applications on different DNS names (even if they are part of the same SharePoint farm).
The most common resolution to this is to set up an external federated trusted identity provider (such as ADFS) and have each of your web applications trust it. Then you can configure your federated identity provider to authenticate against your forms provider.
Here's some more detailed info about how the authentication structure in SharePoint works and how you can develop against it: http://msdn.microsoft.com/en-us/library/gg430136.aspx
is it possible to configure federated trust without using ADFS. This article "Claims-Based Single Sign-On for Microsoft SharePoint 2010" link walks you through an example of integrating two web applications into a sso environment for intranet and extranet web users. The article describes how to configure a New-SPTrustedIdentityTokenIssuer where you can add ProviderRealms to SPTrustedIdentityTokenIssuer. In our scenario we set -SignInUrl https://division.corp.com/_layouts/fba/fbalogin.aspx. But I cant find out how to configure the section federatedAuthentication.
how can I let non-domain users username/password login my sharepoint site (is on internet)? I am using Sharepoint 2010 foundation. can I authentic them via Active Directory?
If you want to continue to use Active Directory, you will need to give an AD account to these users. Otherwise, SharePoint also supports Forms Based Authentication and SAML token-based authentication.
Note that these authentication methods are not mutually exclusive. You can use any combination of authentication methods supported by the authentication mode of the Web Application (SAML token-based authentication is only supported when your Web Application is in Claims Based mode).
For more information, see Plan authentication methods.
You can use Form Base Authentication.
Reference: http://blog.morg.nl/2011/08/step-by-step-forms-based-authentication-fba-on-sharepoint-2010/
I have a custom Windows App (needs to be windows as it runs on a users machine and interfaces with TWAIN devices) which needs to communicate to a Claims Based Authenticated site.
What is the best way to achieve this? Each user already has an account on the site which I want to use to authenticate with on the windows app.
Note: the site is actually a CRM2011 IF Deployment.
CRM 2011 setup
Cloud Hosted
Claims Based Authentication for IFD users
Windows (AD) Based Authentication for services (i.e. running on the same box) and workflows
STS setup is out of our control
Is CRM 2011 already configured to use a STS such as ADFS?
If so, you just need to add your app. to the STS as a Relying Party.
There's a white paper.
Also, this gives a good overview of configuring ADFS and WIF in general.