[Tutorial] SSO for Microsoft Sharepoint Web Applications with WSO2 Identity Server

  • By Prasad Tissera
  • 12 May, 2015
Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.

This tutorial will give you a step-by-step guide on how to implement single sign on (SSO) for Microsoft Sharepoint web applications with the WSO2 Identity Server.

Introduction

Sharepoint is a widely used web application framework developed by Microsoft Corporation. Windows authentication is usually used to log in to Sharepoint. In addition to this Sharepoint allows forms-based authentication and SAML token-based authentication1.

SAML token-based authentication in SharePoint 2013 uses the SAML 1.1 protocol and the WS-Federation Passive Requestor Profile (WS-F PRP)1. Therefore we can use the identity server support for passive STS to configure the WSO2 Identity Server as an identity provider (IDP) for Sharepoint web applications.

Prerequisites

For this article we have used the following versions of Sharepoint and Identity Server;

  • Sharepoint 2013
  • WSO2 Identity Server 5.0.0 with SP1
  • OS: Windows Server 2012

Create a simple Sharepoint web application

  1. Go to Sharepoint 2013 central administration (you can open this by searching for “sharepoint central” in the Windows app search).

    Use your windows username and password to log in to Sharepoint (Windows authentication)

  2. In Sharepoint central administration click on ‘Manage Web Application’ under ‘Application Management’.

    Figure 01

  3. Click on ‘New’ to add a new web application.

    Figure 02

  4. Keep the default configuration and click ‘OK’ to save the application.

    Figure 03

The new web application will be added and the URL and the port will be displayed in the application list.

Figure 04

In this example the new application's name is Sharepoint - 48077 and the URL is http://win-3oo8vau2hv9:48077/. You can use this URL to log in to your new web app using the default windows authentication.

Configure WSO2 Identity Server

  1. Start the identity server and log in to the ‘Management Console’.

    Figure 05

  2. Click ‘Add’ under ‘Service Providers’ in the ‘Main’ tab.
  3. Specify any name as the service provider name. We have used passivests1 here.
  4. Under ‘Inbound Authentication Configuration’ expand ‘WS-Federation (Passive) Configuration’.
  5. Set the Passive STS realm by adding _trust to the end of the Sharepoint web application URL created in the 'Create a simple Sharepoint Web Application' section.

    For example, if the Sharepoint web application URL is http://win-3oo8vau2hv9:48077/, then the passive STS realm should be http://win-3oo8vau2hv9:48077/_trust.

  6. Expand ‘Claim Configuration’ and set the configurations as follows;

    Figure 06

    • Click on ‘Define Custom Claim Dialect’
    • Click on ‘Add Claim URI’
    • Under ‘Service Provider Claim’ add the following claim URI

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

    • Under ‘Local Claim’ select https://wso2.com/claims/emailaddress
    • Tick the ‘Requested Claim’ check box.
  7. Follow the below steps to add a new user to log in to the Sharepoint web application.
    • Click on the ‘Configure’ tab and got to ‘Users and Roles’
    • Under ‘User Management’ click on ‘Users’
    • Click on ‘Add New User’
    • In the ‘Add User’ page set the username and password and click 'Next'
    • Tick the admin role and click ‘Finish’

      Here we assign the admin role only for simplicity; Sharepoint login users only require login permission. You can define a role with only login permission and assign it to the user instead of assigning the admin role.

      More information on user and role configuration can be found here.

    • Click on the ‘User Profile’ button in front of the newly added username to edit the profile of the user.

      Figure 07

      Figure 08

    • Set the first name and email address of the user and click on ‘Update’.

      We use the email address claim to authenticate the user with Sharepoint. Therefore the email address entered here should be used when registering the user with Sharepoint.

Create a trusted identity provider in Sharepoint

  1. Export the WSO2 Identity Server public certificate using the Java keytool. The default keystore can be found in the wso2is-5.0.0/repository/resources/security folder.

    keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file wso2carbon.cer

  2. Open Sharepoint 2013 management shell (you can do this by searching for “sharepoint management” in Windows app search).
  3. Set exported wso2carbon.cer as the trusted root certificate by executing the following commands;

    $rootcert = Get-PfxCertificate "E:\wso2carbon.cer"

    New-SPTrustedRootAuthority -Name "RootAuthority" -Certificate $rootcert
    $spt= New-SPTrustedRootAuthority -Name "RootAuthority" -Certificate $rootcert

  4. Add a new trusted identity provider by executing the following commands;
    • Assign wso2carbon.cer to $cert to use as the TrustCertificate.

      $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\wso2carbon.cer")

    • Define claim mapping to be used as the identifier claim. Since we are mapping WSO2 https://wso2.com/claims/emailaddress claim to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email claim in the identity server, we use the ‘-SameAsIncoming’ tag for claim configuration.

      $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

    • Define the realm URL. We use the same URL we used in the passive STS configuration in the identity server (by appending _trust to the end of the web application URL)

      $realm="http://win-3oo8vau2hv9:48077/_trust"

    • This creates the trusted identity provider with the name 'WSO2PassiveSTS1'

      $ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1 -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType

  5. You can view the configured trusted identity provider by executing the following command in the management shell;

    Get-SPTrustedIdentityTokenIssuer

  6. Figure 09

  7. The default STS token lifetime value of the WSO2 Identity Server is five minutes.

    The default value of LogonTokenCacheExpirationWindow in Sharepoint is ten minutes.

    If the LogonTokenCacheExpirationWindow of Sharepoint is larger than the lifetime of the token, then SharePoint will not allow the user to log in and will redirect back to the IDP, which will redirect back to SharePoint in an endless loop3.

    Hence the default configurations of Sharepoint and WSO2 IS will not allow the user to log in.

    To avoid that we can either increase the default STS token lifetime of the identity server or decrease the LogonTokenCacheExpirationWindow of Sharepoint.

    Unfortunately increasing the STS token lifetime is not supported in WSO2 Identity Server 5.0.0 with SP1. To add support for this configuration you need to install the patch WSO2-CARBON-PATCH-4.2.0-1140 that is only available for those who have support accounts with WSO2.

    This configuration is supported in WSO2 Identity Server M1 which can be downloaded here (https://github.com/wso2/product-is/releases).

    If you have the required patch installed, to increase the default STS token lifetime you can add the following configurations in carbon.xml file which can be found under wso2is-5.0.0/repository/conf folder.

    • Add the following property within the <Server> tags;
        			
      <Server>
      	…..
      	<STSTimeToLive>1800000</STSTimeToLive>
      </Server>
      
    • Restart the identity server to make this configuration effective.
    If you don’t have access to the required patch, as a workaround you can set the LogonTokenCacheExpirationWindow time to a value smaller than the default STS token lifetime value.
    • To decrease the LogonTokenCacheExpirationWindow value to one minute run the following commands in Sharepoint management shell;

      $sts = Get-SPSecurityTokenServiceConfig
      $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan ?minutes 1)
      $sts.Update()
      Iisreset

  8. Configure the Sharepoint web application to use the created trusted identity provider as follows;
    • Go to Sharepoint’s central administration page.
    • Click on ‘Application Management’ and go to ‘Manage Web Applications’ under ‘Web Applications’.
    • In the application list click on the web application you created in the 'Create a simple Sharepoint Web Application' section.

      Figure 10

    • Click on ‘Authentication Providers’ in the toolbar and then click ‘Default’ in the ‘Authentication Providers’ popup.
    • The WSO2PassivesSTS1 trusted IDP we created using the management shell will be displayed under trusted identity provider in the ‘Edit Authentication’ window.
    • Check both checkboxes in front of ‘Trusted Identity Provider’ and WSO2PassivesSTS1 and click on the ‘Save’ button which is at the bottom of the page.

      Figure 11

  9. Now you have to add the user created in the WSO2 Identity Server as a Sharepoint login member to your web application else Sharepoint will not allow the user to log in.
    • Go to the URL of the created web application.

      e.g.http://win-3oo8vau2hv9:48077/

    • A drop down will be displayed to select the login method. Select ‘Windows Authentication’.
    • Click the settings icon on the upper right corner of the page and click on ‘Site settings’.

      Figure 12

    • Click on ‘People and Groups’ under ‘Users and Permissions’.

      Figure 13

    • Click 'New' under SharePointLogin members and enter the email address you configured in the user profile for the user created in the identity server. Then click ‘Share’.

      Figure 14

Log in to Sharepoint web application with WSO2 Identity Server.

  1. Go to the web application URL. If you have already signed in to the current browser session you may need to open a private window.

    e.g. http://win-3oo8vau2hv9:48077/

  2. A drop down will be displayed to select the login method. Select WSO2PassiveSTS1.
  3. You will be redirected to the WSO2 Identity Server basic authentication login page. Use the username and password of the user you have created to log in.
  4. Now you will be redirected back to Sharepoint and the email address of the identity server user account you used to log in will be displayed as the logged in user on the right hand side corner of the page.

References

[1] https://technet.microsoft.com/en-us/library/cc262350.aspx#plansaml
[2] https://docs.wso2.com/display/IS500/Configuring+Roles#ConfiguringRoles-Addingauserrole
[3] https://msdn.microsoft.com/en-us/library/office/hh147183%28v=office.14%29.aspx
[4] https://github.com/wso2/product-is/releases