question

FrankLOH-9590 avatar image
0 Votes"
FrankLOH-9590 asked FrankLOH-9590 commented

Would like to know how to get ADFS pass domain\username to Sharepoint

I was given a Sharepoint 2013 server (on windows server 2012 r2) and an ADFS server (Windows server 2019). I followed the guide here:
https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/implement-saml-based-authentication-in-sharepoint-server.

I am able to use email address to authenticate. Here's the current scenario.
1) Open https://myapp-mycompany.com.my from client browser
2) Auto redirects to ADFS page https://adfs.mycompany.com.my/adfs/ls/ for authentication using email
3) Once authenticated redirects back to Sharepoint with the email address as the login credential

I want to pass domain\username to Sharepoint rather than email address. How do i achieve this?
Take note I'm new to ADFS and would appreciate the plain language.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Here's the settings. It's practically the same based on the guide above.

On the AD FS server, start PowerShell and run the following script:

STEP 1: Create the relying party

Name of the Relying Party

$name = "myserver-TrustedIdentityProvider"

Unique identifier of the Relying Party (in SharePoint it's referred to as the realm)

$identifier = "urn:myserver:mycompany.com.my"

Authority that authenticates users

$identityProvider = "Active Directory"

SharePoint URL where user is redirected upon successful authentication

$redirectURL = "https://myapp-mycompany.com.my/_trust/"

Allow everyone to use this relying party

$allowEveryoneRule = '=> issue (Type = "http://schemas.microsoft.com/authorization/claims/permit", value = "true");'

Create the Relying Party

Add-ADFSRelyingPartyTrust -Name $name -Identifier $identifier -ClaimsProviderName $identityProvider -Enabled $true -WSFedEndpoint $redirectURL -IssuanceAuthorizationRules $allowEveryoneRule -Confirm:$false

STEP 2: Add claim rules to the relying party


Rule below configured relying party to issue 2 claims in the SAML token: email and role

$claimsRule = @"
@RuleTemplate = "LdapClaims"
@RuleName = "AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(
store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
query = ";mail,tokenGroups,UPN(fullDomainQualifiedName);{0}",
param = c.Value);
"@

Apply the rule to the Relying Party

Set-ADFSRelyingPartyTrust -TargetName $name -IssuanceTransformRules $claimsRule

================================================================================================

Configure SharePoint to trust AD FS


Define claim types


$email = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$role = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Public key of the AD FS signing certificate

$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\adfs.cer")

Unique realm (corresponds to the unique identifier of the AD FS Relying Party)

$realm = "urn:myserver:mycompany.com.my"

Set the AD FS URL where users are redirected to authenticate

$signinurl = "https://adfs.mycompany.com.my/adfs/ls/"

Create a new SPTrustedIdentityTokenIssuer in SharePoint

New-SPTrustedIdentityTokenIssuer -Name "myserver-TrustedIdentityProvider" -Description "myserver-TrustedIdentityProvider" -Realm $realm -ImportTrustCertificate $signingCert -ClaimsMappings &email,$role -SignInUrl $signinurl -IdentifierClaim $email.InputClaimType


$rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\adfs.cer")
New-SPTrustedRootAuthority -Name "myserver-TrustedRootAuthority" -Certificate $rootCert

This script extends an existing web application to set AD FS authentication on a new zone

URL of the default zone of the web application

$webAppDefaultZoneUrl = "http://myserver"

URL of the SharePoint site federated with ADFS

$trustedSharePointSiteUrl = "https://myapp-mycompany.com.my"
$sptrust = Get-SPTrustedIdentityTokenIssuer "myserver-TrustedIdentityProvider"
$ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
$wa = Get-SPWebApplication $webAppDefaultZoneUrl
New-SPWebApplicationExtension -Name "myserver-TrustedIdentityProvider" -Identity $wa -SecureSocketsLayer -Zone Intranet -Url $trustedSharePointSiteUrl -AuthenticationProvider $ap

Create self certificate for the web extension site

New-SelfSignedCertificate -DnsName "myserver-mycompany.com.my" -CertStoreLocation "cert:\LocalMachine\My"

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I managed to find a related discussion here but i don't quite understand. Can anyone take a look if it's related to my question?

[https://social.technet.microsoft.com/Forums/lync/en-US/8c5adbbd-b968-4fa4-a8ad-9e65118ca726/pass-domainusername-to-relying-party-from-adfs-30?forum=ADFS][1]


Thanks.

0 Votes 0 ·

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered FrankLOH-9590 commented

Let say your domain is CONTOSO and your user BOB. Do you want to send the CONTOSO\BOB in the emailaddress claim?
We can do that from an ADFS's perspective. But I don't know if that's okay with SharePoint.

You can delete the rule LdapClaims you have on the relying party trust in ADFS and do the create the following two:

  1. Send the group membership in the role claim. Click on Add rule and pick Send LDAP Attributes as Claims. Then use the following:

87466-image.png

  1. Send the windowsaccountname (that's how the format CONTOSO\BOB is called) as the emailaddress claim. Click on Add rule and pick Transform an Incoming Claim.

It does what you want. Now, is what you want works for SharePoint, that's outside of my expertise. Note you could also send another claim instead of "re-using" the email claim...

87458-image.png



image.png (111.3 KiB)
image.png (187.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @piaudonn you saved my day!. The solution works. I just changed the outgoing claim type from E-Mail Address to UPN and the domain\username was parsed successfully to Sharepoint.

0 Votes 0 ·