Monday, July 6, 2015

SharePoint 2013 Single Sign-On Authentication via SAML with OneLogin

Introduction



SharePoint supports the SAML Profile for single sign-on out of the box. This chapter provides guidelines to configure a third party Identity Provider,OneLogin
(http://www.onelogin.com  ). 

Configuring the Trusted Identity Provider for SharePoint


To configure OneLogin to sign in users into SharePoint using SAML, ensure that the SharePoint Web Application is SSL Enabled, and then proceed to the following steps.
  1. In OneLogin, navigate to Apps > Find apps and search for SharePoint 2013 (EMAIL). Click Add.
  2. In the Add SharePoint 2013 (EMAIL) screen select for the app to be used by the Organization. Press Continue.

SharePoint SSO SAML with onelogin


3. Select "Configuration"  tab
  • Set "FQDN" (SharePoint Web application URL for which the OneLogin IP need to be added)
  • Set "Realm" (The realm can be any unique value. This will be used later in the SharePoint configuration)
  • Set "Site" (Site collection /site  relative URL ex. /sites/sitename/)

Set OneLogin parameters


WS-Federation Web SSO Endpoint

      4. Create new users if required from Users All Users

Create new users
5. From menu Users > Roles, make sure that the SharePoint application is added to the Default Role.


Add user roles
6. Grant access to the SharePoint App in OneLogin.

Grant access to SharePoint App


Download OneLogin Certificate for SharePoint


  • Login to OneLogin as an administrator
  • Download the OneLogin Certificate (DER)
    • https://app.onelogin.com/saml/download_der
  • Open the OneLogin Certificate
  • Select "Details" tab
  • Select "Copy to file"
  • Select "DER encoded binary X.509 (.CER)"
  • Save as "c:\onelogin.cer"
Download OneLogin Certificate

Define the certificate used to validate the signed WSFed assertion

Open "SharePoint Management Shell" on SharePoint server and execute the lines codes.
  1. Load OneLogin Certificate into an Object:
    • $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\onelogin.cer")
  2. Install OneLogin Certificate as a Trusted Root Authority:
    • New-SPTrustedRootAuthority -Name "OneLogin Certificate" -Certificate $cert
  3. Set Email as the common identifier between OneLogin and SharePoint:
    • $email=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
  4. Set SharePoint Site Realm Identifier:
    • $realm= "urn:saml:sharepoint"
    • Note:The realm must match the value in OneLogin under the "Configuration" tab of the SharePoint connector.
  5. Create OneLogin IdP option in SharePoint:
    • $x=New-SPTrustedIdentityTokenIssuer -Name "OneLoginSharePoint" -Description " OneLoginSharePoint" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $email -SignInUrl  "{WS-Federation Web SSO Endpoint}" –IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    • Note: Replace the {WS-Federation Web SSO Endpoint} with the URL found in OneLogin under the "Single Sign-on" tab.
After executing the script, the OneLogin identity provider will be listed under Trusted Identity Providers in the Web Application page.

Configure the site to use Trusted Identity Provider


Open "SharePoint 2013 Central Administration" on SharePoint server and create new Web Application with SSL Enabled or update existing Web Application.

  1. Navigate - "Application Management"
  2. Click - "Manage web applications" Manage Web Applications
  3. Select a SharePoint Web Application that is SSL Enabled.
    •  Note: "SharePoint Central Administrator" can NOT be used with SSO.
  4. Click "Authentication Providers" from the top menu options.
  5. Click "Default - Claims Based Authentication"

    Authentication Providers
  6. Check mark - "Trusted Identity Provider" and select the OneLogin IdP

    Add Trusted Identity Providers
  7. Click "Save"
Reference: https://onelogin.zendesk.com/hc/en-us/articles/201173964-Configuring-SAML-for-SharePoint-2013  

Define the Initial Users


  1. Select the web application for which onelogin IdP is configured 
  2. Select "User Policy" from the menu ribbon to bring up the "Policy for Web Application" dialog box.

    Policy for Web Application
  3. Select "Add Users" in the menu ribbon. 
  4. Select the appropriate zone or select the default "All Zones" and select the "Next" button.
  5. From the "Add Users" dialog, select the people picker book in the "Choose Users" section.
  6. Select the Trusted Identity Provider in the left frame and enter a group or account name to grant access in the "Find" text box at the top.
  7. Click Ok.
    Grant user permissions
  8. Select the Permissions intended for the user or group. 
  9. Select the "Finish" button to go back to the "Policy for Web Application" Dialog.
  10. Select the "OK" button to close.

Login to SharePoint


Navigate to your web application. You should see a drop down box with windows and OneLogin authentication options.
 SharePoint Authentication - Sign in



User will be taken to OneLogin login page.


OneLogin Sign-in page




On successful authentication, the page will be redirected to SharePoint site. If the user has already logged in to OneLogin and has a cookie, that user will not need to enter his/her credentials again.  
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)