- Podcast
- Research
- Search
- Security
- Technology
- Video
- AIM
- Alfresco
- Collaboration
- ECM
- ESX
- Hyper-V
- IE8
- Internet Explorer
- Iomega
- Linux
- MIX08
- Microsoft
- NAS
- Nokia
- REV
- S60
- SaaS
- Sharepoint
- Silverlight
- Sony Ericsson
- VMware
- Windows Live
- YouTube
- Advertising
- Backup
- Beta Test
- Blogs
- Convergence
- Display
- Enterprise
- Humans
- Instant Messaging
- Multimedia
- Networking
- Open Source
- Phishing
Provide SharePoint Single Sign-On with Active Directory Federation Services
Configure Internal Federation Server (Account Federation Server)
You need to follow a few basic steps to configure your internal federation server. This is the server that will connect to the internal AD forest and provide tokens for users to connect to the extranet SharePoint server via their internal AD logon. These include:
- Add the Active Directory account store. This configures the federation server to provide tokens for user accounts in the designated Active Directory domain.
- Create a new organization group claim. This is a claim or identity passed to the external federation server.
- Create a new claim extraction for the group claim. This extraction maps the claim to a particular group of users within Active Directory. Members of this AD group will be given access to the extranet SharePoint server via another claim extraction set up on the resource federation server.
- Set up the resource partner. This step involves setting up the relationship between the two federation servers. Since all traffic is passed over SSL, the two servers communicate via web services. You must also specify the type of claim to pass to the resource federation server. This can be either email address, UPN, Common Name or any combination of the above. These serve as the unique identifier for each member of the claim group.
- Set up an external claim mapping. This maps the AD group to the claim being sent to the other federation partner.
Configure External Federation Server (Resource Federation Server)
Next, you need to finish setting up the external federation server. This server resides in the perimeter network with the SharePoint server. To do that, follow this procedure:
- Create a new SharePoint application. This configures ADFS to provide authentication tokens for the specified application.
- Add a new account partner. Add the URI for the account federation server. This configures the resource federation server to accept tokens from the account federation server.
- Create a new organization group claim, and map it to a resource group. This step creates a new claim and maps it to a group in the External AD forest.
- Enable the organization group claim for the SharePoint application.
- Create a new incoming claim to match the outgoing claim from the account federation server. This setting maps the two claims to each other.
SharePoint Configuration
Finally, configure your SharePoint application to support ADFS tokens by modifying the web.config for both Central Admin and the SharePoint application sites. You need to add a new provider for both files. You can do that by manually adding the configuration information to web.config, or by using the ADFS script for SharePoint, a VBScript file that automatically updates web.config to enable SharePoint to support federation.
VBScript Route
If you choose to use the script, after running the script, make sure you log on to the SharePoint site and give access to the group claim resource group. After you do that, internal users should be able to sign on to the external SharePoint site using their internal Active Directory credentials.
Manual Route
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeedIf you prefer to modify the web.config files yourself, add the following code to the web.config file for each web application that you want to make aware of claims. Just after the
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.
SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust,
Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
fs="https://extadfs.treyresearch.com/adfs/
fs/federationserverservice.asmx" />
</providers>
</membership>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.
SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust,
Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
fs="https://extadfs.treyresearch.com/adfs/fs/
federationserverservice.asmx" />
</providers>
</roleManager>
Save your changes to the web.config file. At this point users should be able to sign on to the external SharePoint site using their internal Active Directory credentials.
As you've seen, your business can provide extranet access to SharePoint sites yet still allow internal employees access to those sites using a single signon—their internal Active Directory credentials. As organizations continue to expose SharePoint externally to provide collaboration services for clients and business partners, you can leverage Active Directory Federation Services to provide a single-sign-on experience for both external and corporate users.
Extending database skills is fast and easy with new features and this e-kit. Learn how and start taking advantage of easier DB2 administration features today.
Most Popular Stories
- 1 Building SharePoint Suggestion Boxes and Soliciting Anonymous Feedback
- 2 Moving a Document to the SharePoint 2010 Records Center
- 3 Solve Item-Level Permission Performance Problems in SharePoint
- 4 Developing SharePoint Solutions in Visual Studio Using WSPBuilder
- 5 Using the Event Handler in SharePoint 2010
- 6 Prepare Your SharePoint Data Carefully, Ediscovery Experts Warn
- 7 Design a Form to Collect Customer Information Using InfoPath and SharePoint 2010
Partners
The Network for Technology Professionals
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers
Whitepapers and eBooks
|
PDF: Security Reference Guide PDF: Data and Identity Security PDF: Secure Remote Access 101 |
Helpful Cloud Computing Resources MORE WHITEPAPERS, EBOOKS, AND ARTICLES |
Webcasts
|
User Experience Management Indicators for Business and IT Success Ensuring Performance Meets Business and Web User Needs |
MORE WEBCASTS, PODCASTS, AND VIDEOS |
Downloads and eKits
|
IBM DB2 e-kit for Database Professionals: Extending Skills is Fast and Easy Get BlackBerry Enterprise Server Express for Free |
MORE DOWNLOADS, EKITS, AND FREE TRIALS |