Configure SharePoint to use ADFS Authentication

Sep 29, 2016 at 6:20 AM

This is the 6th article in the series of "Configuring ADFS Authentication on SharePoint 2016”. In this article I will show you how to configure SharePoint to use the ADFS Authentication.

Below are topics that I am going to cover under this series

In my previous article I showed you how to create relying party trusts and configure the claims that will be forwarded to SharePoint by ADFS. Now these claims have to be consumed by the SharePoint from the token and have to verify the token using the certificate which we exported in previous article to “Export ADFS Certificate from the ADFS Management.”

In order to configure SharePoint to use the Claims, we have te establish the trust between the ADFS server and the SharePoint farm. Creating trust is done using New-SPTrustedRootAuthority Powershell Cmdlet or from the central administration as well.

We will use the PowerShell Command for creating the trusted root authority in SharePoint. Remember the ADFS Certificate we exported from the ADFS Management? We will use that certificate so copy the certificate on the SharePoint App server. If you have not exported the certificate follow the steps mentioned in this article to Export ADFS Certificate from the ADFS Management for Configuring ADFS Authentication with SharePoint.

Open the SharePoint Management PowerShell as an Administrator and execute the below command.

 $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Dhaval\")  
 New-SPTrustedRootAuthority -Name "ADFS Token Signing Certificate" -Certificate $cert  

We had configured some claims when we Create Relying party Trusts and Claims from ADFS which will be sent to SharePoint. Now we have to map those claims in SharePoint as incoming to the corresponding claims in the ADFS.

So execute the below PowerShell Commands in SharePoint Management PowerShell. I have configurd the UPN, Email, Role and the Given Name as the claims that will pass from the ADFS and mapped it to the corresponding claims in SharePpoint. UPN wil be .

 ## Create Claim mapping for the claims to be provided by ADFS  
 ## UPN Claims  
 $upnClaimMap = New-SPClaimTypeMapping "" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming  
 ##Email Claims  
 $emailClaimMap = New-SPClaimTypeMapping "" -IncomingClaimTypeDisplayName "Email Address" –SameAsIncoming  
 ##Role Claims  
 $roleClaimMap = New-SPClaimTypeMapping "" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming  
 ## GivenName Claims  
 $givenNameClaimMap = New-SPClaimTypeMapping "" -IncomingClaimTypeDisplayName "Given Name" –SameAsIncoming  

Create Trusted Identity Provider for ADFS

We will have to create ADFS as trusted Identity provider for SharePoint to use it. We will configure it using the New-SPTrustedIdentityTokenIssuer PowerShell command.

 ##Create the trusted Identity Provider  
 ## Use the realm we created in the previous article while creating the relying party trust  
 $realm = "urn:sharpeoint:dhavalcodessp2016server"  
 $signInUrl = ""  
 $issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $upnClaimMap,$emailClaimMap,$roleClaimMap,$givenNameClaimMap -SignInUrl $signInUrl -IdentifierClaim $upnClaimMap.InputClaimType  

Configure SharePoint Web Application to use ADFS

Now we have to configure SharePoint Web Application to use the ADFS as the Authentication Provider. You can use the existing web application or create a new web application as well.

  • Open the SharePoint Central Administration
  • Go to Application Management -> Manage Web Application
  • Select your SharePoint web application -> Select the Authentication Providers from the top ribbon Conifigure SharePoint to use ADFS

Conifigure SharePoint to use ADFS

    • Click on Default and tick the checkboxes for the ‘Trusted Identity Provider’ and ‘ADFS’

Conifigure SharePoint to use ADFS

  • Click on Save.

Note : Make sure you don’t uncheck the ‘Enable Windows Authentication‘ we will require to use windows authentication to give permission to users from the ADFS.

Configure Administrative Permissions

Now in order to use the ADFS authentication we have to give permission to the ADFS users on our web application.

Now open the SharePoint Web application which we configured to use the ADFS in our earlier step.

Conifigure SharePoint to use ADFS

It will show both Windows Authentication and ADFS authentication options.

Select the Windows Authentication and login with the windows user.

Navigate to Site Settings -> Site Collection administrator

Conifigure SharePoint to use ADFS

And add the ADFS user as we will use the user logon name from the active directory.

Conifigure SharePoint to use ADFS

Click on Ok and close the browser.

Open the SharePoint Site again and Select ADFS authentication this time.

Conifigure SharePoint to use ADFS

Click on ‘Proceed to … ’

Conifigure SharePoint to use ADFS

This will redirect to the ADFS Login Page

Conifigure SharePoint to use ADFS

Specify the username and password for the user

Conifigure SharePoint to use ADFS

As you can see the user is now logged in using the ADFS Authentication.

Voila! Your site is configured to use ADFS authentication. In next article I will show you how you can customize the ADFS Login Page that we are using.

Found this article by Dhaval Shah valuable? Help by Sharing ...

  • Click on the banners at the top of article or in the right panel to visit my blog's sponsors. They are all hand-picked and are selected based on providing great products and services to the SharePoint community.
  • I’d be very grateful if you’d help it spread by Sharing. Below, you should find links to sharing this article on your favorite social media sites.
Related Posts by Dhaval Shah blog comments powered by Disqus