SharePoint Auth via ADFS

This is a reference article with straight forward steps intended for those who need to implement ADFS based authentication on a SharePoint Server (On-Prem) Web Application. The steps here are those that I have personally used to implement this feature in a production environment. This article assumes that you already have basic knowledge of SharePoint Server and Active Directory Federation Services. This article does not cover the initial setup of SharePoint Server or AD FS. Once this setup is completed and you can access your site using AD FS as identity provider, you can then use Azure MFA integration with AD FS for Multifactor Authentication as well.

Prerequisites

• SharePoint Sever 2016 or 2019 Farm with Farm Administrator access. All farm topologies are supported.
• AD Federation Services with AD FS Administrator Access (External Web Applicaiton Proxy is supported)
• Access to Certificate Authority (Preferably Public) to create SSL certificate for SharePoint Site.

Information Preparation

Replace the placeholders here with your own data.

• SharePoint Site URL (This is the site which you intend to apply ADFS Auth on): https://share.domain.com
• AD FS URL (Identifier URL for IDP-Initiated SignOn): https://adfs.domain.com/adfs/ls/
  Note: You can get this URL by running Get-AdfsProperties | select IdTokenIssuer in AD FS PowerShell, add /ls at end of it.
• Realm (Relying Party Identifier): urn:domain:sharepoint
• Site Collection Admin (This can be the Farm Admin): domain\account

Step 1 - Export AD FS Token-Signing Certificate

• Open AD FS Management Console as Administrator on the AD FS Server.
• Navigate to AD FS -> Services -> Certificates
• Double-click on the Token-signing Certificate and click on the Details tab.
• Click on Copy to file, then click Next until you're presented with an option to save the file.
• Save the file as ADFSCertificate.cer and copy this file to all SharePoint servers in the farm.

Step 2 - Create Relying Party Trust in AD FS

Use the snippet below to create a new Relying Party Trust, replace the parameters with your own where necessary.

#Name of Relying Party, just an identifier.
$name = "SharePoint" 
#Realm name, replace with what you picked. Should be identical here and later in SharePoint config.
$identifier = "urn:domain:sharepoint" 

#Authenitcation Source Provider, don't change this.
$identityProvider = "Active Directory"

#Replace the main URL with your SharePoint Site
$redirectURL = "https://share.domain.com/_trust/default.aspx" 

#Relying Party Access Rule, can be changed later if MFA needs to be implemented.
$accessRule = '=> issue (Type = "http://schemas.microsoft.com/authorization/claims/permit", value = "true");'

#Create the Relying Party
Add-ADFSRelyingPartyTrust -Name $name -Identifier $identifier -ClaimsProviderName $identityProvider -Enabled $true -WSFedEndpoint $redirectURL -IssuanceAuthorizationRules $accessRule -Confirm:$false

Use the following set of commands to add Claim Rules to the Relying Party Trust

#Create a rule to issue UPN, Email and Role claims in SAML token.
$claimsRule = @"
@RuleTemplate = "LdapClaims"
@RuleName = "AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(
store = "Active Directory", 
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), 
query = ";upn;;mail,tokenGroups(fullDomainQualifiedName);{0}", 
param = c.Value);
"@

#Apply this rule to the Relying Party
Set-ADFSRelyingPartyTrust -TargetName $name -IssuanceTransformRules $claimsRule

Step 3 - Import AD FS Certificate to SharePoint Root

Import the AD FS Token-Signing Certificate that you exported in Step 1 from AD FS to SharePoint.
Note: You need to run this from Elevated PowerShell session using Farm Admin account and import the SharePoint PowerShell Module.

$rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Path\To\ADFSCertificate.cer")
New-SPTrustedRootAuthority -Name "ADFS" -Certificate $rootCert

Step 4 - Configure SharePoint to trust AD FS as Identity Provider

#Define claim types
$email = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$role = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$upn = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming 

#AD FS Token-Signing Certificate
$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Path\To\ADFSCertificate.cer")

#Realm name, as defined in AD FS Relying Party earlier
$realm = "urn:domain:sharepoint" 

#AD FS URL (Identifier URL for IDP-Initiated SignOn)
$signinURL = "https://adfs.domain.com/adfs/ls/"

#Create a new Trusted Identity Token Issuer
New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Identity Provider" -Realm $realm -ImportTrustCertificate $signingCert -ClaimsMappings $email,$role,$upn -SignInUrl $signinURL -IdentifierClaim $upn.InputClaimType

Step 5 - Create a New SharePoint Web Application

Follow these steps to create a new SharePoint Web Application if you haven't created one yet already. SharePoint requires you to have Windows Authentication enabled in the Default zone, so it is recommended Extend the Web Application to a different zone later and use AD FS authentication on that zone instead. This Default zone should not be published.

#Default Web Applicaiton URL, replace as necessary
$webAppURL = "http://spshare"

#This is either the managed Service Account or Farm Admin. IIS Application Pool will run under this account.
$appPoolAccount = "domain\user" 

#Windows Authentication Provider, don't change.
$winAp = New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication -DisableKerberos:$true

#Create the new Web Application, you can change the Name and ApplicationPool attributes as necessary for better identification
New-SPWebApplication -Name "Shared Site" -Port 80 -URL $webAppURL -ApplicationPool "SharedSite" -ApplicationPoolAccount (Get-SPManagedAccount $appPoolAccount ) -AuthenticationProvider $winAp

Step 6 - Extend SharePoint Web Application

Extend the SharePoint Web App to a different zone. Available options are Internet, Intranet, Extranet and Custom.
AD FS requires the SharePoint site to be HTTPS so you will need SSL certificate on IIS, this will be covered later.

#URL of the Default Web App
$defaultURL = "http://spshare"

#URL of the Extended App, should match the Redirect URL defined in ADFS earlier and should be HTTPS
$extendedURL = "https://share.domain.com/"

#Trusted Identity Token Issuer that was defined earlier in Step 4
$sptrust = Get-SPTrustedIdentityTokenIssuer "ADFS"

#AD FS Authentication Provider, don't change.
$ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust

#Default Web App, don't change.
$wa = Get-SPWebApplication $defaultURL

#Extend the Web Applicaiton, you can change the Name attribute if required for better identification. You can also change the Zone attribute here if required. 
New-SPWebApplicationExtension -Name "ADFS Shared Site" -Identity $wa -SecureSocketsLayer -Zone Internet -Url $extendedURL -AuthenticationProvider $ap

Step 7 - SSL Certificates Management

SharePoint with ADFS requires you to have SSL Certificate on the IIS Site itself. Publicly Signed Certificate is preferred but Self-Signed can be used internally. This is required on all front-end servers and will require same private key across all nodes.

Create a new Publicly Signed SSL Certificate via IIS

• Open IIS Manager on Front End server, click on Server Certificates
• On the left pane, click on Create Certificate Request and provide the required information to create the CSR. The common name would be your site URL (share.domain.com in this case). If you are using a WildCard certificate, this will be *.domain.com and you should add your Site URL as Subject Alternative Name later when singing the CSR via your Certificate Authority.
• Follow the wizard to save the CSR as a text file and use this to create a publicly signed certificate from your preferred Certificate Authority (DigiCert etc.)
• Once the SSL Certificate is created using the CSR, copy the CER file back to the server.
• Click on Complete Certificate Request in the left pane to import the CER file.
• Navigate to the file in the wizard and assign it a friendly name of your choosing. This should import the new Certificate to your SharePoint Server.

Work in Progress

Step 8 - People Picker Fix

Having two different authentication providers seems to mess with the SharePoint People Picker, follow these steps to remedy that.

Download the LDAPCP WSP Solution File from here

Copy the WSP file to the SharePoint Applicaiton Server, note that this Solution will be Globally Deployed (Across all Web Apps on the Farm, no impact on other apps have been reported)

#Import the solution to SharePoint Farm
Add-SPSolution -LiteralPath "C:\Path\LDAPCP.wsp"

#Deploy the solution globally
Install-SPSolution -Identity "LDAPCP.wsp" -GACDeployment

Update the Trusted Token Issuer from Step 4 with the new Claims Provider

$trust = Get-SPTrustedIdentityTokenIssuer "ADFS"
$trust.ClaimProviderName = "LDAPCP"
$trust.Update()

This should now allow you to unify the users in People Picker.

Conclusion

You should now be able to successfully login to the Extended Web URL, https://share.domain.com in this case, via ADFS as the identity provider. I will create a reference article on how to setup Azure MFA with AD FS later and link it here later. If you have any questions, feel free to reach out to me via LinkedIn or Email on the bottom of the page.