Installing and Configuring ADFS Integration with SharePoint 2013 – Step by Step Guide

Introduction:
Active directory federation services is the solution for extending enterprise identity beyond corporate firewall. It simplifies sharing identities between trusted partners across organizations. It’s a common requirement in a typical business scenario, users in one organization want to access a secured application/website from another organization. Without ADFS, we’d end-up re-creating user logins for the partner company in our AD. But that introduces the problem of maintaining and managing two separate identities for the partner company users. Here is where ADFS comes into the picture. It solves the problem by federating identities and establishing a single sign-on capability. SharePoint 2013 – ADFS integration is seamless as its natively supported.

Generally, in SharePoint world, ADFS is used in these three scenarios:

  1. Domains which are not part of your AD forest  (Such as acquired companies without trusts established, with network connectivity between them in place): User in one organization accesses an application in another organization, so that you can collaborate across organizational boundaries. Say for E.g. Your company is running an internal SharePoint site/application and your partner company/acquired company wants to make use of the same.  across organizational boundaries without duplicating user logins.
  2. Extranet setups for partners/customers – Accessing SharePoint application via the Internet, which extends the first scenario to include remote Internet access who are outside the organization. The external domain is still responsible for validate provided credentials and pass it on the SharePoint.
  3. Office 365/Cloud – You are running a SharePoint farm either in Cloud or in Office 365 and want to provide access to the users of your company without re-creating their identities in the cloud.

How does the ADFS – SharePoint authentication process work?

  • User types SharePoint site URL and picks the relevant authentication provider from the sign-in page
  • SharePoint redirects to the respective ADFS server configured already, User promoted for credentials.
  • ADFS handles the authentication by Verifying the provided user name and password from the identity provider – AD
  • ADFS creates a Token, Signs and puts it in a cookie. Redirects to SharePoint with that cookie
  • SharePoint STS validates and extracts the claims from the token
  • SharePoint performs authorization and connects the user to the web application.

There are Three steps involved in integrating ADFS with SharePoint 2013:

  1. Install ADFS Server
  2. Create a trusted relying party for SharePoint 2013 in ADFS
  3. Configure SharePoint 2013 to trust ADFS

Prerequisites:
There are certain prerequisites to be addressed for ADFS SharePoint 2013 configuration.

  1. SSL Certificates: Obtain SSL certificates for your SharePoint 2013 web application, and at least two certificates for ADFS Service communication and for ADFS token signing of 2048-bits.
  2. Default Web Site in IIS – Make sure, in your ADFS Server, the default website is running in IIS. This site to be SSL enabled with ADFS communication certificate.
  3. SharePoint Web Application requirements: Your web app must be SSL enabled and the authentication mode must be “Claims Based” – which is the default in SharePoint 2013. Security Token Service must be up and running.
  4. DNS Entries: Make sure DNS entries (or host file entries, at least!) are created for both SharePoint and ADFS servers So that both ADFS and SharePoint can identify and communicate between themselves.
  5. Service account – Have a dedicated service account for ADFS service – Must be a Local Admin account and SPN to be set on the service account: setspn -a host/adfs.crescent.com crescent\AdfsSvc

Here is our environment setup:
In production environments, ADFS infrastructure is created as a separate farm with ADFS Proxy server. For evaluation purpose, I’m using below configurations:

  • ADFS Server – ADFS.Crescent.com
  • SharePoint Farm – Web Application: Intranet.Crescent.com  
  • Certificates
    • Intranet.Crescent.com – SharePoint web application certificate
    • ADFS.Crescent.com – Certificate for ADFS server to communicate securely.
    • TokenSigning.Crescent.com – ADFS Token signing certificate.

 

Step 1: Install ADFS Server Instance

In Windows Server 2008 R2, ADFS 2.0 was available as a separate download, But Windows Server 2012 is built-in with ADFS capability. So, all you have to do is: Add AD FS server role by running the “Add server role wizard!”. ADFS Server can be installed as a standalone or as an ADFS farm with multiple servers.  if standalone, it uses “Windows Internal Database”, SQL Server is used otherwise. Although it’s possible to have the ADFS server in the Same SharePoint box, Microsoft doesn’t recommend it.

Lets begin installing ADFS Server role.

  1. Login to your proposed ADFS server. Make sure it’s already joined to the AD Domain. Open Server Manager
  2. Click on the “Add roles and features” link from the Dashboard section of the Server Manager.
    Configuring ADFS Integration with SharePoint 2013
  3. You’ll be presented with “Add Roles and Features Wizard”. Click “Next” to start Installing ADFS Integration with SharePoint
  4. Choose “Role-based or feature-based installation” on installation Type and click “Next” Installing and Configuring ADFS Integration with SharePoint 2013 - Step by Step Guide
  5. Select the appropriate Server in server selectionsharepoint 2016 adfs integration
  6. Check “Active Directory Federation Services” Server Roles and click “Next”adfs configuration sharepoint 2013
  7. In Features page, Make sure “.Net Framework 3.5” is already installed. if not, select that check box.adfs sharepoint 2013 step by step
  8. Click “Next” on AD FS pageadfs sharepoint configuration
  9. Choose “Federation Service” under the Role Services sectionadfs sharepoint integration
  10. Click on the “Install” button to start installing the ADFS Server role.adfs sharepoint on premise
  11. Wait for the installation to complete. Click on “Close” button to exit from the wizard.adfs sharepoint step by step

Configure ADFS Server:

  1.  Go to Server Manager, Click on the “ADFS” tab. There will be a notification at the top saying “Configuration required for Federation service”. Click on the “More” link, which pops up a message. adfs single sign on sharepoint 2013
  2. Click on the “Run the AD FS Management snap-in” link to run the Post-deployment configuration wizard.configure adfs for sharepoint 2013
  3.  Now, we got into ADFS snap-in. Click on the “AD FS Federation Server configuration Wizard” link to start configuring ADFS.install adfs for sharepoint 2013
  4. Choose the “Create a new Federation Service” option on the welcome screen.sharepoint adfs authentication
  5. Select the deployment type as “Stand-alone Federation Server”sharepoint adfs google
  6. Choose the appropriate SSL Certificate for ADFS communication16 assign ssl certificate
  7. Click “Next” on the summary page17 summary
  8. Wait for the AD FS configuration to complete.18 adfs config wizard complete

Verify ADFS installation:
Try navigating to any of the below URL. You should get a XML file.

  • https://YourADFS-Server.com/adfs/ls/IdpInitiatedSignon.aspx
  • https://<<servername>>/FederationMetadata/2007-06/federationmetadata.xml

 

Step 2: Create trusted relying party in ADFS 

Now, the next step is to add new trusted relying party (in our case, its our SharePoint site URL). We’ll have to set up ADSFS to allow our SharePoint web sites as a Relying Parties so that SharePoint will consume claims from ADFS server.

Configure ADFS for SharePoint 2013:
Lets Add SharePoint Web Application URL as a Trusted Relying Party:

  1. Go to Server Manager, Click on “AD FS Management” from tools menu.
    19 launch adfs management
  2. From AD FS snap-in, Click on “Required: Add a trusted replying party” link. You can also click on “Add Relying party Trust” to get the same.20 add trusted relying party
  3. Click “Start” button to initiate relying party trust wizard. 21 add relying party trust wizard
  4. In “Select Data Source” tab, choose “Enter data about the relying party manually” and click “Next”22 enter data manually
  5. Give a display name to the relying party.23 enter display name
  6. Choose profile as “AD FS Profile”24 choose ad fs profile
  7. Token signing certificate is optional. So, we can skip it by pressing “Next” button25 skip optional token encyrption cert
  8. Here is an important step: Configure URL! Select the “Enable support for the WS-Federation Passive protocol” check-box. Enter the relying party WS-Federation Passive protocol URL by appending: /_trust/ with your SharePoint web application. In my case, My web application is: https://intranet.crescent.com. So, I’m entering:  https://intranet.crescent.com/_trust/26 enter replying party url
  9. Configure identifiers: Enter the relying party trust identifier. It uses the naming convention of : URN:Your-Web-App. Lets enter “urn:intranet:crescent” and click on “Add” button27 configure urn identity
  10. For issuance authorization rules, choose “Permit all users to access this relying party” and click Next.28 permit
  11. Click “Next” on the summary page. 29 ready
  12. Enable “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” check box, and click on the “Close” button.30 finish wizard

Edit Claims Rule:
SharePoint Claims-based authentication – authenticates users based on these set of claims, such as User principle name, E-Mail address, etc.

  1. Click on “Add Rules” button in Edit Claim Rules window.
    31 add rule
  2. Choose the Claim rule template as: “Send LDAP Attributes as Claims”32 send ldap attribute as claims
  3. Give a Name to your claim rule, Choose the attribute store as “Active Directory”, Map the attributes to be sent to SharePoint from Active Directory via ADFS. I’ve selected “Email-Addresses” with “E-Mail Address” and “User-Princila-Name” with “UPN”. Click “Finish” button once done.33 add claim rules

Repeat the relying party wizard for all of your web applications.

Change the Token Signing Certificate in ADFS Server
We must have different SSL certificates for “ADFS communication certificate”, “ADFS token signing certificate”. We have to disable the AD FS automatic certificate rollover feature to add a token signing certificate. Open PowerShell on the Federation Server (VSrvFs) and run the following command:

Set-ADFSProperties -AutocertificateRollover $false

Now, from the ADFS console Service >> Certificates >> Add Token-Signing Certificate >> You’ll be prompted with a menu to choose a certificate >> Select the “TokenSigning.crescent.com” certificate and mark it as primary.

Remember, You must export this ADFS token signing certificate to all SharePoint servers to establish trust.

Private Key Permissions:
The service account needs to have “Read” permissions at least on the private key of the token signing certificate. From the certificates snap-in, browse to personal >> certificates. Right-click Your token signing certificate > All Tasks > Manage Private Keys >> Grant “Read” permission to the service account 

Export this ADFS token signing certificate to all SharePoint server(s)

ADFS Token signing certificate must be exported from ADFS server and used while creating trust in  SharePoint Server. Here is how:

  1. From ADFS console, Expand “Certificates” folder, Right Click on your ADFS token signing certificate and choose “View Certificate”.
  2. Under the “Details” tab, Click on “Copy to file” button.
  3. For Export Private key section, choose “No, do not export the private key”
  4. Click “Next”. Choose export file format as “DER Encoded binary x.509 (.CER)”
  5. This will export the certificate from ADFS. 

 

Step 3: Configure SharePoint 2013 to Trust ADFS

As a final step, Lets create a trusted identity token issuer pointing to ADFS as the claims provider, using PowerShell

Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue

#Register the Token Signing certificate from ADFS Server to establish Trust between SharePoint and ADFS server
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS.TokenSigning.cer") 
New-SPTrustedRootAuthority -Name "ADFS Token Signing Certificate" -Certificate $cert

#Map the claims attributes
$EmailMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$UPNMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
 
$realm = "urn:intranet:crescent"

#Sign-in URL will be ADFS Server instance
$signInURL="https://adfs.crescent.com/adfs/ls"

#Create new trusted identity token issuer
$TrustedIdentity = New-SPTrustedIdentityTokenIssuer -Name "Crescent.com" -Description "ADFS Trusted users from Crescent.com Domain" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $EmailMap,$upnMap -SignInUrl $signInURL -IdentifierClaim $Emailmap.InputClaimType

The first two lines of the above code, registers the certificate in SharePoint certificate store. Moreover, You may have to do this for Root Certificate Authority as well. You can see them under “Manage Trusts” link in security section of central administration.

Realm – is a identifier which helps ADFS to load respective configuration for a particular profile. which uses the convention of: urn:yourwebapp:yourdomain (can be anything, technically. It just uniquely identifies between multiple web applications)

IdentifierClaim – is the unique ID that identifies users in SharePoint. So, when users logged in via ADFS, they’ll be identified by Email id in this case. Also, when granting access to SharePoint sites from ADFS, we’ll have to use this identifier as user names. Make sure that the mapped claims exist in the source. E.g. If E-mail is mapped as Identifierclaim, then It must exist in AD. In other words, E-mail field must contain a value, shouldn’t be null!


SharePoint 2013 ADFS with multiple web applications 
So, You have established a trusted identity provider for your primary web applications, and all other web apps as well, say for e.g. My sites. Now, You’ll have to add them to your trusted identity provider with this PowerShell code:

Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue

$TrustedIdentifyProvider = Get-SPTrustedIdentityTokenIssuer "Crescent.com"

$uri = New-Object System.Uri("https://mysites.crescent.com/")

$TrustedIdentifyProvider.ProviderRealms.Add($uri, "urn:mysite:crescent")

$TrustedIdentifyProvider.Update()

Configure SharePoint Web Application:
The next step is to enable ADFS claims in SharePoint. 

  • Go to Central Administration > Application Management > Manage Web Applications.
  • Click on “Authentication Providers” button from the ribbon
    34 edit authentication providers
  • Select the “Default” link from the list35 default authentication provider
  • Scroll down and pick the authentication provider we just created.36 select trusted auth provider
  • Click “Ok” to save your changes.

Grant ADFS users Permission to the SharePoint web application
When you add permission for the user in SharePoint you have to add it as the IdentifierClaim (for example if the identifier is the email – you should add the user as [email protected] from the SharePoint side and login with Domain\userName format.). If you skip this step, users from ADFS will get: access denied!

and when users hit SharePoint URL, They’ll be presented with the default sign-in page

sharepoint adfs requirements

Troubleshooting?
Errors? Event log is the best place to start debugging!.

Salaudeen Rajack

Information Technology Professional with Two decades of SharePoint Experience.

12 thoughts on “Installing and Configuring ADFS Integration with SharePoint 2013 – Step by Step Guide

  • June 10, 2021 at 11:05 PM

    Excellent article. Helped me.

    Reply
  • July 30, 2020 at 2:59 AM

    cool nice article

    Reply
  • July 7, 2020 at 8:04 AM

    Very well explained

    Reply
  • May 15, 2020 at 1:28 PM

    We already have NTLM running webapp. If we implement Trusted identity, user will get access denied. Could you help with migrating existing users to trusted identity.
    Also wanted to know, is it not possible to implement if we have an HTTP site and not SSL enabled.

    Reply
  • March 12, 2018 at 11:01 AM

    The above document is very useful and Thanks for such nice shearing!
    could you please to understand, how will be the authentication processes in below scenario.

    sharepoint is in ABC.COM domain and user from xyz.com want to access the sharepoint site.There is no domain trust.

    Reply
    • March 12, 2018 at 11:40 AM

      If you don’t want to establish trust, then the options are: AD LDS, FBA with SQL Server, Live IDs, etc. can be utilized.

      Reply
  • March 12, 2018 at 10:43 AM

    awesome,very helpfull

    Reply
  • May 16, 2017 at 9:00 AM

    Hellow,

    My domain controller(windows 2012 R2) and ADFS are in same system. i just want to know how can i create a ssl certificate for testing purpose.

    Reply
  • August 12, 2015 at 3:16 PM

    Well done and thanks alot.

    Reply
  • November 24, 2014 at 9:19 PM

    Very good article, really nice!!

    Reply
  • September 9, 2014 at 4:42 AM

    Cool article… Kudos to your effort!

    Reply

Leave a Reply