Below is an example PowerShell script for enabling federated SSO for SharePoint: "claims-authn-sso-enable.ps1".
This is where the Identity Claims are added.
# # PowerShell Script for enabling federated SSO for SharePoint via DualShield IdP # Determines a directory where this script is placed $ScriptDirectory = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition # Includes common configuration . (Join-Path $ScriptDirectory claims-authn-sso-common.ps1) # Set path to a file with PEM-encoded X.509 certificate of WS-Federation IDP $cert_path = (Join-Path $ScriptDirectory $idpCertFile) # Set path to a file with PEM-encoded X.509 CA of certificate of WS-Federation IDP $certCA_path = (Join-Path $ScriptDirectory $caCertFile) # This creates a powershell certificate object from the certificate file that was exported from DualShield $cert = New-Object system.security.cryptography.x509certificates.x509certificate2($cert_path) $certCA = New-Object system.security.cryptography.x509certificates.x509certificate2($certCA_path) # This defines a claim type mapping #$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $firstNameClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "FirstName" -SameAsIncoming $lastNameClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "LastName" -SameAsIncoming $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming # This is the realm/EntityID that SharePoint uses when communicating with the IdP $realm = $webApplicationName $m1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
# Creating Trusted Identity Provider #New-SPTrustedIdentityTokenIssuer -Name $stsname -Description $stsdesc -Realm $stsrealm -ImportTrustCertificate $cert -ClaimsMappings $m1 -SignInUrl $signinurl -IdentifierClaim $m1.InputClaimType #$idp = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description "DualShield WS Fed" -Realm $realm -SignInUrl $idpSigninUrl -ImportTrustCertificate $cert -ClaimsMappings $m1 -IdentifierClaim $m1.InputClaimType # This creates the trusted identity token issuer in Sharepoint $idp = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description "DualShield WS Fed" -Realm $realm -SignInUrl $idpSigninUrl -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$roleClaimMap,$firstNameClaimMap,$lastNameClaimMap -IdentifierClaim $emailClaimMap.InputClaimType # This adds CA certificate to the list of trusted root certificates in Sharepoint. You need to import the CA certificate here. The certificate also needs to be imported as a trusted root certificate in Windows. New-SPTrustedRootAuthority -name $idpTrustedRootCaName -Certificate $certCA # This changes authentication provider for existing application to the newly created $webApplication = Get-SPWebApplication $webApplicationName $idp = Get-SPTrustedIdentityTokenIssuer $idpName Set-SPwebApplication $webApplication -AuthenticationProvider $idp -Zone Default ## This enforces use of "wreply" parameter (only must be invoked for changing the SPTrustedIdentityTokenIssuer) $idp = Get-SPTrustedIdentityTokenIssuer $idpName $idp.UseWReplyParameter = $true $idp.Update() |