This is the first article for the series of "Configuring ADFS Authentication for SharePoint Sites". In this article series I will explain you how we can setup and configure ADFS authentication on SharePoint 2016. Although this article uses SharePoint 2016, it will still work for SharePoint 2013 as well.
Below are topics that I am going to cover under this series
- About ADFS Authentication and SharePoint
- Configure SharePoint Site to use SSL and HTTPS
- Install And Configure Active Directory Federation Services(ADFS)
- Export ADFS Certificate from the ADFS Management
- Create Relying party Trusts and Claims from ADFS
- Configure SharePoint to use ADFS Authentication
- Custom Login Page for SharePoint Authentication
ADFS Authentication and SharePoint
In most of the applications, Authorization is done using the token.
In SharePoint 2007 and 2010 we had classic mode authentication which had windows token to SharePoint to perform the actual authorization.
In SharePoint 2013 we have a Claims Based authentication, which uses claims based token for the authorization. Classic mode authentication is deprecated in SharePoint 2013. However you can create classic mode authentication web application using the PowerShell but which is again not recommended.
There are 3 types of claims providers supported with the SharePoint.
- Windows Claims – It is Kind of Claims, but windows token is converted to claims token.
- Trusted Provider (SAML) – It’s the standard for using the ADFS authentication using the SAML Token. AD FS issues SAML-based security tokens consisting of claims and it is used by SharePoint.
- Form Based Authentication – Form based authentication provides a way to implement our own authentication method. It provides the way to allow external users to use your internal SharePoint site.
Irrespective of the authentication you use, every token gets converted into SAML token and SharePoint converts that in SPUser object. If you use windows token it will get converted into SAML claim based identity token and later into SPUser Object.
Before we dive further into the topic of ADFS Authentication, let’s have some idea on basic terms used in ADFS.
- Claims – Claims are provided by a Provider which describes the accurate information about the user who is trying to login to the system. When user logs in to the application using Facebook, here Facebook is a claims provider which provides the information about the user like ‘Facebook user id’, “Facebook profile picture” in form of claims to the application.
- Security token – Claims that are provided by the provider are packaged into security token. It is used in place of password and act as an access key for the application for each user.
- Identity Provider – For SharePoint, it’s the ADFS which will supply the security token to SharePoint. When the user login to application using Facebook, it’s the Facebook who is the identity provider.
- Relying party – The application who will use the claims for the authorization is a relying party. In our case when we login to SharePoint using the ADFS Authentication, It’s the SharePoint to ADFS.
- Security Token Service – Security Token Service creates the security token from the claims generated by the provider which can be used by the application to authorize the user.
- Realm – Way of configuring ADFS to load the configuration. Realm is the set of applications, URLs, domains, or sites for which a token is valid. Typically a realm is defined using an Internet domain such as microsoft.com, or a path within that domain.
In our case SharePoint will be relying party as it will be ‘Relying’ on ADFS for the authentication.
There are many other providers available other than ADFS like Site Minder, Oracle Access manager, etc
- Its natural provider with SharePoint
- Full support by Microsoft
- Available for free with Windows Server license
- Integrates automatically with active directory
- Most of the organizations have the ADFS in place.
Process for SharePoint ADFS Authentication
Below Infographic will help you to understand the process flow for ADFS authentication with SharePoint