How to Create Multiple Claims Auth Web Apps in a Single SharePoint 2010 Farm
The question has been coming up more frequently lately about how does one configure multiple web apps that use claims authentication in SharePoint 2010. The primary point of confusion usually comes around the SPTrustedIdentityTokenIssuer. As I noted in a previous post (http://blogs.technet.com/speschka/archive/2010/02/17/planning-considerations-for-claims-based-authentication-in-sharepoint-2010.aspx), you can only associate a token-signing certificate from an STS with one SPTrustedIdentityTokenIssuer. When you create your SPTrustedIdentityTokenIssuer you tell it a) this is the token signing cert I’m going to use and b) this is the realm I’m going to use. The realm is important because it is included in the query string that’s sent back to your STS. Your STS will use that realm to figure out which relying part you are so it knows what claim rules to process, the URL it should use to look up the web app’s trust policy, etc. Even though you can add multiple token signing certificates to something like ADFS v2, there isn’t a way to say this token signing cert should be used with this relying party, so you really need to find a way to make it work with the single cert.
One of the changes made after beta 2 to support this scenario is with the SPTrustedIdentityProvider. It has a ProviderRealms property that will now take multiple realms. So say for example you have two web applications: https://collab and https://mysites. You create an SPTrustedIdentityTokenIssuer with some PowerShell that looks something like this (this isn’t the entire thing, just a snippet):
$realm = "urn:sharepoint:collab"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS v2" -Description "ADFS v2" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl "https://urlToYourAdfsServer/adfs/ls" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Our SPTrustedIdentityTokenIssuer is now created and has a default realm of urn:sharepoint:collab. We create a relying party in ADFS v2 and tell it the identifier is urn:sharepoint:collab and https://collab/_trust/. Now in order to support our second web app, we need to add another realm to our SPTrustedIdentityTokenIssuer. Here’s the PowerShell for that:
$uri = new-object System.Uri("https://mysites")
The key thing to understand here is the URI. That URI should be the URL to the web app that is going to use that realm. At authentication time SharePoint will do a lookup to find the realm associated with that web app’s URI and that will be what it uses. So in this case we want the realm urn:sharepoint:mysites to be used with the web application at https://mysites, so we plugged in that URI when we added the realm. Now we can go back over to ADFS v2 and define a second relying party with an identifier of urn:sharepoint:mysites and https://mysites/_trust/ and everything should just work.