You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Below is an example powershell script for enabling federated SSO for SharePoint: "claims-authn-sso-enable.ps1".

This is where the Identity Claims are added.

#
# PowerShell Script for enabling federated SSO for SharePoint via DualShield IdP

# Determines a directory where this script is placed
$ScriptDirectory = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition

# Includes common configuration
. (Join-Path $ScriptDirectory claims-authn-sso-common.ps1)

# Set path to a file with PEMencoded X.509 certificate of WSFederation IDP
$cert_path = (Join-Path $ScriptDirectory $idpCertFile)

# Set path to a file with PEMencoded X.509 CA of certificate of WSFederation IDP
$certCA_path = (Join-Path $ScriptDirectory $caCertFile)

# This creates a powershell certificate object from the certificate file that was exported from DualShield
$cert = New-Object system.security.cryptography.x509certificates.x509certificate2($cert_path)
$certCA = New-Object system.security.cryptography.x509certificates.x509certificate2($certCA_path)

# This defines a claim type mapping
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

# This is the realm/EntityID that SharePoint uses when communicating with the IdP
$realm = $webApplicationName

# This creates the trusted identity token issuer in Sharepoint
$idp = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description "DualShield WSFed" -Realm $realm -SignInUrl $idpSigninUrl -ImportTrustCertificate $cert -ClaimsMappings $map -IdentifierClaim $map.InputClaimType

# This adds CA certificate to the list of trusted root certificates in Sharepoint. You need to import the CA certificate here. The certificate also needs to be imported as a trusted root certificate in Windows.
New-SPTrustedRootAuthority -name $idpTrustedRootCaName -Certificate $certCA

# This changes authentication provider for existing application to the newly created
$webApplication = Get-SPWebApplication $webApplicationName
$idp = Get-SPTrustedIdentityTokenIssuer $idpName
Set-SPwebApplication $webApplication -AuthenticationProvider $idp -Zone Default

## This enforces use of "wreply" parameter (only must be invoked for changing the SPTrustedIdentityTokenIssuer)
$idp = Get-SPTrustedIdentityTokenIssuer $idpName
$idp.UseWReplyParameter = $true
$idp.Update()

  • No labels