Below is an example PowerShell script for enabling federated SSO for SharePoint: "claims-authn-sso-enable.ps1".
This is where the Identity Claims are added.
#
# PowerShell Script for enabling federated SSO for SharePoint via DualShield IdP
# Determines a directory where this script is placed
$ScriptDirectory = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition
# Includes common configuration
. (Join-Path $ScriptDirectory claims-authn-sso-common.ps1)
# Set path to a file with PEM-encoded X.509 certificate of WS-Federation IDP
$cert_path = (Join-Path $ScriptDirectory $idpCertFile)
# Set path to a file with PEM-encoded X.509 CA of certificate of WS-Federation IDP
$certCA_path = (Join-Path $ScriptDirectory $caCertFile)
# This creates a powershell certificate object from the certificate file that was exported from DualShield
$cert = New-Object system.security.cryptography.x509certificates.x509certificate2($cert_path)
$certCA = New-Object system.security.cryptography.x509certificates.x509certificate2($certCA_path)
# This defines a claim type mapping
#$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$firstNameClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "FirstName" -SameAsIncoming
$lastNameClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "LastName" -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
# This is the realm/EntityID that SharePoint uses when communicating with the IdP
$realm = $webApplicationName
$m1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
# Creating Trusted Identity Provider #New-SPTrustedIdentityTokenIssuer -Name $stsname -Description $stsdesc -Realm $stsrealm -ImportTrustCertificate $cert -ClaimsMappings $m1 -SignInUrl $signinurl -IdentifierClaim $m1.InputClaimType
#$idp = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description "DualShield WS Fed" -Realm $realm -SignInUrl $idpSigninUrl -ImportTrustCertificate $cert -ClaimsMappings $m1 -IdentifierClaim $m1.InputClaimType
# This creates the trusted identity token issuer in Sharepoint
$idp = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description "DualShield WS Fed" -Realm $realm -SignInUrl $idpSigninUrl -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$roleClaimMap,$firstNameClaimMap,$lastNameClaimMap -IdentifierClaim $emailClaimMap.InputClaimType
# This adds CA certificate to the list of trusted root certificates in Sharepoint. You need to import the CA certificate here. The certificate also needs to be imported as a trusted root certificate in Windows.
New-SPTrustedRootAuthority -name $idpTrustedRootCaName -Certificate $certCA
# This changes authentication provider for existing application to the newly created
$webApplication = Get-SPWebApplication $webApplicationName
$idp = Get-SPTrustedIdentityTokenIssuer $idpName
Set-SPwebApplication $webApplication -AuthenticationProvider $idp -Zone Default
## This enforces use of "wreply" parameter (only must be invoked for changing the SPTrustedIdentityTokenIssuer)
$idp = Get-SPTrustedIdentityTokenIssuer $idpName
$idp.UseWReplyParameter = $true
$idp.Update() |