This is the 6th article in the series of "Configuring ADFS Authentication on SharePoint 2016”. In this article I will show you how to configure SharePoint to use the ADFS Authentication.
Below are topics that I am going to cover under this series
- About ADFS Authentication and SharePoint
- Configure SharePoint Site to use SSL and HTTPS
- Install And Configure Active Directory Federation Services(ADFS)
- Export ADFS Certificate from the ADFS Management
- Create Relying party Trusts and Claims from ADFS
- Configure SharePoint to use ADFS Authentication
- Custom Login Page for SharePoint Authentication
In my previous article I showed you how to create relying party trusts and configure the claims that will be forwarded to SharePoint by ADFS. Now these claims have to be consumed by the SharePoint from the token and have to verify the token using the certificate which we exported in previous article to “Export ADFS Certificate from the ADFS Management.”
In order to configure SharePoint to use the Claims, we have te establish the trust between the ADFS server and the SharePoint farm. Creating trust is done using New-SPTrustedRootAuthority Powershell Cmdlet or from the central administration as well.
We will use the PowerShell Command for creating the trusted root authority in SharePoint. Remember the ADFS Certificate we exported from the ADFS Management? We will use that certificate so copy the certificate on the SharePoint App server. If you have not exported the certificate follow the steps mentioned in this article to Export ADFS Certificate from the ADFS Management for Configuring ADFS Authentication with SharePoint.
Open the SharePoint Management PowerShell as an Administrator and execute the below command.
|
We had configured some claims when we Create Relying party Trusts and Claims from ADFS which will be sent to SharePoint. Now we have to map those claims in SharePoint as incoming to the corresponding claims in the ADFS.
So execute the below PowerShell Commands in SharePoint Management PowerShell. I have configurd the UPN, Email, Role and the Given Name as the claims that will pass from the ADFS and mapped it to the corresponding claims in SharePpoint. UPN wil be .
|
Create Trusted Identity Provider for ADFS
We will have to create ADFS as trusted Identity provider for SharePoint to use it. We will configure it using the New-SPTrustedIdentityTokenIssuer PowerShell command.
|
Configure SharePoint Web Application to use ADFS
Now we have to configure SharePoint Web Application to use the ADFS as the Authentication Provider. You can use the existing web application or create a new web application as well.
- Open the SharePoint Central Administration
- Go to Application Management -> Manage Web Application
- Select your SharePoint web application -> Select the Authentication Providers from the top ribbon
- Click on Default and tick the checkboxes for the ‘Trusted Identity Provider’ and ‘ADFS’
- Click on Save.
Note : Make sure you don’t uncheck the ‘Enable Windows Authentication‘ we will require to use windows authentication to give permission to users from the ADFS.
Configure Administrative Permissions
Now in order to use the ADFS authentication we have to give permission to the ADFS users on our web application.
Now open the SharePoint Web application which we configured to use the ADFS in our earlier step.
It will show both Windows Authentication and ADFS authentication options.
Select the Windows Authentication and login with the windows user.
Navigate to Site Settings -> Site Collection administrator
And add the ADFS user as johnsnow@corp.dhavalcodes.com we will use the user logon name from the active directory.
Click on Ok and close the browser.
Open the SharePoint Site again and Select ADFS authentication this time.
Click on ‘Proceed to … ’
This will redirect to the ADFS Login Page
Specify the username and password for the user
As you can see the user is now logged in using the ADFS Authentication.
Voila! Your site is configured to use ADFS authentication. In next article I will show you how you can customize the ADFS Login Page that we are using.