Federating SharePoint with EmpowerID

In an environment with Microsoft SharePoint, you can configure EmpowerID as a claims-based authentication provider for your SharePoint farm. Using EmpowerID in this way allows you to extend EmpowerID's RBAC model to your corporate SharePoint environment, giving you greater flexibility and control over how you assign user's access. Before configuring EmpowerID as a SharePoint claims provider, the following prerequisites must be met:

Prerequisites:
  • A network reachable EmpowerID Web Role server (over port 443) must be configured for SSL and SAML SSO Claims.
  • The EmpowerID SharePoint 2010 Web Services package (for SharePoint 2010) or EmpowerID SharePoint 2013 Web Services package (for SharePoint 2013) must be installed on all SharePoint servers in the farm. Doing so makes the following changes to the SharePoint servers:
    • It adds a new TheDotNetFactory key to the registry with EmpowerID and Federation subkeys.
    • It creates a new Web application, named either EmpowerIDWebService35 for SharePoint 2010) or EmpowerIDWebService45 (for SharePoint 2013), and an application pool, named either EmpowerIDSharePoint2010 or EmpowerIDSharePoint2013, for that application in IIS.
    • It adds the EmpowerID.BPM.SharePoint.EventReceiver2010 (for SharePoint 2010) or EmpowerID.BPM.SharePoint.EventReceiver2013 (for SharePoint 2013) assembly to the GAC

  • The public key of the Sharepoint SSL certificate and the private key of the client certificate must be exported to the EmpowerID Web Role server.
  • The Sharepoint server(s) needs to have two certificates, one that can be used for SSL between the server and EmpowerID (known as the SSL certificate), as well as one for EmpowerID to authenticate itself to the Sharepoint Web services (known as the client certificate). The SSL certificate is used by EmpowerID to create the endpoint identity for the Sharepoint Web services, while the client certificate is used to perform certificate-based authentication for obtaining a security token.
  • The public key and root of the EmpowerID federation (STS) certificate must be exported to each SharePoint server in the farm. This allows SharePoint to authenticate itself to EmpowerID.
  • The EmpowerID > Federation key of each SharePoint server in the farm must have its values configured for EmpowerID. These Federation key values include the following:
    SPVersion
    Specifies the version of SharePoint.
    EmpowerIDServerFQDN
    Specifies the fully qualified name of the EmpowerID Web Role server.
    The URL specified here must have the following entries in the CertificateAppliesTo table of the EmpowerID Identity Warehouse:
    • https://<empoweridserverFQDN>/EmpowerIDWebServices/SharePointEventNotificationService.svc
    • https://<empoweridserverFQDN>/EmpowerIDWebServices/EmpowerIDSTS.svc
    • https://<empoweridserverFQDN>/EmpowerIDWebServices/EmpowerIDCertSTS.svc
    • https://<empoweridserverFQDN>/EmpowerIDWebServices/SecureService.svc

    These entries can be generated by navigating to each service URL in a Web browser or by manually adding Trust URIs for each in Workflow Studio. For general information on adding Trust URIs in Workflow Studio within the context of this topic, see Trusted EndPoint for any DNS aliases.

    ClientAuthCertificate
    Specifies the certificate that SharePoint uses to authenticate to the EmpowerID Web services. The public key for this certificate must be installed on the EmpowerID Web Role server.
    Every SharePoint service account needs to have access to the private key of this certificate. This includes all application pool identities on the SahrePoint server, as well as all SharePoint service application service accounts.
    FederationCertificate
    Specifies the EmpowerID federation certificate. The public key for this certificate must be installed on the SharePoint server.
    APILogExceptionsPath
    Specifies the folder path to log hidden exceptions. This is only used for diagnosis.
    ExcludedWebApplications
    Specifies a list of Web application URLs to exclude from the UserInfo table synch.
    SPServerSSLCertificate
    Specifies the SSL certificate on the SharePoint server. The public key for the certificate must be installed on the EmpowerID Web Role server.
  • The identity associated with the EmpowerIDSharePoint2010 (for SharePoint 2010) or the EmpowerIDSharePoint2013 (for SharePoint 2013) application pool on each SharePoint server must be changed from NetworkService to an identity that has the following rights:
    • Local administrator
    • Farm admin within SharePoint
    • Web application policy user within SharePoint for each site collection configured for EmpowerID claims augmentation
    • DBO permissions to the Content Databases, Central Admin databases and EmpowerID database

  • The identity associated with the EmpowerIDSharePoint2010 (for SharePoint 2010) or the EmpowerIDSharePoint2013 (for SharePoint 2013) application pool must be registered as the User Profile Service application
  • The identity associated with the EmpowerIDSharePoint2010 (for SharePoint 2010) or the EmpowerIDSharePoint2013 (for SharePoint 2013) application pool must be registered as a Managed Account

  • To install and configure the SharePoint 20XX Web Services
    1. Open the SharePoint 20XX Web Services folder you received from EmpowerID and double-click the SharePoint 20XX Web Services X.X.X.X file in that folder to open the EmpowerID SharePoint 20XX Web Services Setup Windows installer.
    2. From the installer, accept the terms of the license agreement and then click Next to continue.
    3. Select the installation path and click Next to continue.
    4. Click Install.
    5. Click Finish to close the installer.
  • To export the Sharepoint Server Certificates to EmpowerID
    1. From the MMC Certificates snap-in of your Sharepoint server, navigate to the Personal Certificates store.
    2. From the Personal Certificates store, right-click the client certificate and select All Tasks > Export from the context menu.
    3. In the Certificate Export Wizard that appears, click Next.
    4. Select Yes, export the private key and click Next.
    5. Select Personal Information Exchange - PKCS #12 (.PFX) and click Next.
    6. Click Browse, navigate to an appropriate place on the EmpowerID server in which to save the certificate, type a name for the certificate in the File name field and then click Save.
    7. Back in the Certificate Export Wizard, click Next and then click Finish.
    8. Click OK to close the certificate export message.
    9. On the EmpowerID Web Role server, locate the certificate you just exported, right-click it and select Install Certificate from the context menu.
    10. In the Certificate Import Wizard that appears, select Local Machine and then click Next.
    11. Select Place all certificates in the following store, click Browse, select Personal and then click OK.
    12. Copy the client certificate from the Personal Certificates store to the Trusted Root Certification Authorities Certificates store.
    13. Repeat the process for the SSL certificate, this time exporting it without the private key as a DER encoded binary X.509 (.CER). See the note below before proceeding.

      The SSL certificate used on the SharePoint server can be the same SSL/STS certificate used on the EmpowerID Web Role server. If you want to use this certificate (recommended for ease of management), you do not need to export it to the EmpowerID Web role server as it is already on the server. You do, however, need to bind the certificate to your SharePoint server. You can do so by following this procedure:
      • To bind the SSL certificate used on the EmpowerID Web Role server to the EmpowerIDWebService application on the SharePoint server
        1. From the EmpowerID Web Role server, open MMC or Internet Explorer and export the SSL certificate used with EmpowerID to a desired location on the SharePoint server. Be sure to include the private key when exporting the certificate.
        2. On the SharePoint server, locate the certificate you just exported, right-click it and select Install PFX from the context menu.
        3. In the Certificate Import Wizard that appears, select Local Machine, click Next twice, type the password for the private key in the Password field and then click Next.
        4. Select Place all certificates in the following store, click Browse and in the Select Certificate Store dialog that appears, select Personal and then click OK to close the Select Certificate Store dialog.
        5. Back in the Certificate Import Wizard, click Next.
        6. Click Finish to import the certificate and close the Certificate Import Wizard.
        7. Click OK to close the Certificate Import Wizard message box.
        8. On the SharePoint server, open IIS Manager and from the Connections tree click the node for the Web site hosting the EmpowerIDWebServiceXX Web application.
        9. In the Actions pane for the Web site, click the Bindings link.
        10. In the Site Bindings dialog that appears, add a binding for https, selecting the SSL certificate you just exported.
        11. Click OK to close the Add Site Binding dialog.
        12. Click Close to close the Site Bindings dialog.

  • To export the SharePoint Server Certificates to EmpowerID
    This is only necessary if you are not using the EmpowerID SSL certificate as shown above.
    1. From the MMC Certificates snap-in of your EmpowerID server, navigate to the Personal Certificates store.
    2. From the Personal Certificates store, right-click the client certificate and select All Tasks > Export from the context menu.
    3. In the Certificate Export Wizard that appears, click Next.
    4. Select No, do not export the private key and click Next.
    5. Select DER encoded binary X.509 (.CER) and click Next.
    6. Click Browse, navigate to an appropriate place on the SharePoint server in which to save the certificate, type a name for the certificate in the File name field and then click Save.
    7. Back in the Certificate Export Wizard, click Next and then click Finish.
    8. Click OK to close the certificate export message.
    9. On the SharePoint server, locate the certificate you just exported, right-click it and select Install Certificate from the context menu.
    10. In the Certificate Import Wizard that appears, select Local Machine and then click Next.
    11. Select Place all certificates in the following store, click Browse, select Personal and then click OK.
    12. Copy the client certificate from the Personal Certificates store to the Trusted Root Certification Authorities Certificates store.
  • To configure EmpowerID settings in the SharePoint Server Registry
    1. Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\TheDotNetFactory\EmpowerID\Federation.
    2. From the Value pane of the Federation key, right-click APILogExceptionsPath, select Modify from the context menu, type a path in the Value data field of the Edit String dialog and then click OK.
    3. From the Value pane of the Federation key, right-click ClientAuthCertificate, select Modify from the context menu, type the thumbprint of the client certificate in the Value data field of the Edit String dialog and then click OK.
    4. From the Value pane of the Federation key, right-click EmpowerIDServerFQDN, select Modify from the context menu, type the fully qualified domain name of the EmpowerID Web Role server in the Value data field of the Edit String dialog and then click OK.
    5. From the Value pane of the Federation key, right-click FederationCertificate, select Modify from the context menu, type the thumbprint of the EmpowerID STS certificate in the Value data field of the Edit String dialog and then click OK.
    6. From the Value pane of the Federation key, right-click SPServerSSLCertificate, select Modify from the context menu, type the thumbprint of the SharePoint server SSL certificate in the Value data field of the Edit String dialog and then click OK.
    7. Ensure that SPVersion reflects the correct version of SharePoint (2010 or 2013).
    8. After setting the above, the Federation key should look similar to that shown below.

  • To set the identity for the EmpowerID SharePoint 20XX application pool on the SharePoint Server
    1. On the SharePoint server, open IIS Manager and click the Application Pools node in the Connections tree.
    2. From the Applications Pools page, locate and right-click the EmpowerIDSharePoint20XX application pool and select Advanced Settings from the context menu.
    3. In the Advanced Settings dialog that appears, click the Identity property under Process Model and then click the ellipsis button to the right of the identity.
    4. In the Application Pool Identity dialog that appears, select Custom account and then click the Set button.
    5. In the Set Credentials dialog that appears, enter the credentials for the Web Role Service account and then click OK to close the Set Credentials dialog.
    6. Click OK to close the Application Pool Identity dialog.
    7. Click OK to close the Advanced Settings dialog.
  • To add the Web Role Service account to the Local Administrators group on the SharePoint Server
    1. Log in to the SharePoint server and go to Server Manager.
    2. From Server Manager, navigate to Configuration > Local Users and Groups > Groups > Administrators.
    3. Right-click Administrators and select Add to Group from the context menu.
    4. In the Administrators Properties window that appears, click the Add button.
    5. In the Select Users, Computers, Service Accounts, or Groups window that appears, add the Web Role Service account and click OK.
  • To grant farm admin permissions
    1. From the SharePoint server, open the SharePoint Central Administration Web application.
    2. In Central Administration, click the Security link and then click Manage the farm administrators group under the Users section.
    3. From the Farm Administrators page, click the New link.
    4. Enter the account user name for the Web Role Service and then click OK or Share depending on your version of Sharepoint.
  • To add a user to the Web Application Policy
    1. From Central Administration, click the Security link and then click Specify web application user policy under Users.
    2. On the Policy for Web Application page, click the Add Users button.
    3. Select the web application and click Next.
    4. In the Users text field, enter the account user name for the Web Role Service and then select Full Control for the permissions level.
    5. Click Finish.
  • To grant sysadminServer Role of db-Owner User Mapping permissions for SharePoint farm databases
    1. Open SQL Server Management Studio.
    2. In Object Explorer, expand Security > Logins, right-click the specific User, select Properties from the context menu, and then do one of the following:
      • sysadmin Server Role - Click the Server Roles tab and select sysadmin.
      • db_owner User Mapping - Click the User Mapping tab, select all Sharepoint databases related to the target farm (SharePoint_Config, SharePoint_AdminContent_, User Profile Service Application_ProfileDB_, and _Content) and then select db_owner.
  • To register as the User Profile Service application
    1. Open Central Administration.
    2. In Central Administration, select Application Management and then click Manage service applications under Service Applications.
    3. Click the User Profile Service Application row (do not click the hyperlink) and then click Properties in the ribbon across the top.
    4. Ensure the Application Pool listed has the same identity as the EmpowerID SharePoint Web Services application pool.
  • To register as a Managed Account
    1. Open Central Administration and select Security.
    2. Under General Security, click Configure managed accounts.
    3. Click Register Managed Account and enter the credentials for the service account.

    4. Do not check Enable automatic password change.


Once you have met the above prerequisites, you can configure the federated trust between EmpowerID and your SharePoint farm. Configuring the federated trust involves the following procedures:


To enable the SharePoint WCF service

  1. On an EmpowerID Web Role server, log in to the EmpowerID Management Console as an administrative user.
  2. From the EmpowerID Management Console, click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, click the EmpowerID Servers and Roles node in the application navigation tree and locate the SharePoint Management Web Service in the Jobs grid.
  4. Enable the SharePoint Management Web Service on each desired EmpowerID Web Role server.

To create a SharePoint account store in EmpowerID

  1. On the EmpowerID Web Role server, log in to the EmpowerID Management Console as an administrative user.
  2. From the EmpowerID Management Console, click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, expand the User Directories node in the navigation tree and then click Account Stores.
  4. Click the Add New button.
  5. In the Add New Security Boundary window that opens, select Microsoft SharePoint from the Security Boundary Type drop-down and then click OK.
  6. In the Security Boundary Details screen that appears, enter the Name, Display Name, and FQDN for the SharePoint account store.
  7. Click Save.

To configure the SharePoint account store

  1. From the Account Stores grid of Configuration Manager, double-click the SharePoint Account Store you just created, or right-click it and select Edit from the context menu.
  2. In the General pane of the Account Store Details screen that appears, click the Edit button to the right of the SharePoint Agent Server setting.
  3. This opens the Choose Servers dialog, which allows you to select one or more EmpowerID Web Role servers running the SharePoint Management Web Service.

  4. From the Choose Servers dialog, toggle the Server button to the left of each desired EmpowerID Web Role server so that the icon for the button changes from a red sphere to a green check box and then click OK to close the dialog.
  5. In the General pane of the Account Store Details screen, toggle the Allow RET Provisioning button from a red sphere to a green check box if you want EmpowerID to create a Profile record in the SharePoint Profile store. This record is owned by a Person and is used to flow attribute changes to and from the SharePoint Profile record.
  6. In the General pane of the Account Store Details screen, toggle the Allow RET De-Provisioning button from a red sphere to a green check box if you want EmpowerID to delete the Profile record in the SharePoint Profile store when the corresponding EmpowerID Person is deprovisioned or loses this RET policy. SharePoint Profiles exist in a One-to-One relationship with Person objects in EmpowerID.
  7. In the Inventory pane of the Account Store Details screen, toggle the Enable Inventory button from a red sphere to a green check box to enable EmpowerID to inventory your SharePoint objects.
  8. In the SharePoint Group Claim Enforcement pane of the Account Store Details screen, click the Edit button to the right of Resource Enforcement Type and select the desired type of enforcement from the Change Resource Enforcement Type dialog that appears. You have the following options available to you:
    • No Action - No rights enforcement action occurs.
    • Projection with No Enforcement - Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native SharePoint environment.
    • Projection with Enforcement - Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native SharePoint environment. This is the default setting.
    • Projection with Strict Enforcement - EmpowerID overrides any changes made in the native SharePoint environment. All changes made must occur within EmpowerID to be accepted. Strict Enforcement only applies to SharePoint Groups.
    • EmpowerID inventories SharePoint groups and enforcement adds one EmpowerID claim as a member of each group. The claim will have the same name as the group with a GUID as the unique identifier. Getting access to the member Resource Role in EmpowerID means that this SharePoint group membership will be added as a claim to the login token. SharePoint sees from the token that the member has a claim which is a member of this group.
  9. In the SharePoint Group Enforcement pane of the Account Store Details screen, toggle the Enable this Functionality button from red sphere to a green check box to enable SharePoint Group Claim Enforcement to occur.
  10. Next, we need to add the SharePoint configuration settings to each SharePoint Resource System EmpowerID created for each SharePoint server in the

To add the SharePoint configuration settings

  1. In Configuration Manager, click the Resource Systems tree node and then double-click the SharePoint Resource System or right-click it and select Edit from the context menu.
  2. Click the Settings tab in the SharePoint Resource System screen.
  3. Click Add New and then do the following:
    1. Type SPVersion in the Name field.
    2. Type your SharePoint version (2010 or 2013 ) in the Value field.
    3. Click Save.
  4. Click Add New again and then do the following:
    1. Type SPServerFQDN in the Name field.
    2. Type the fully qualified domain name of your Sharepoint server in the Value field.
    3. Click Save.
  5. Click Add New again and then do the following:
    1. Type SPServerClientCertificate in the Name field.
    2. Type the thumbprint of the client certificate in the Value field. This is the Sharepoint server certificate that EmpowerID uses to authenticate to the Sharepoint Web services.
    3. Click Save.
  6. Click Add New again and then do the following:
    1. Type SPServerSSLCertificate in the Name field.
    2. Type the thumbprint of the SSL certificate in the Value field. This is the Sharepoint SSL certificate that EmpowerID uses to create the endpoint identity for the Sharepoint Web services.
    3. Click Save.

    When you have completed the above, you should have four Name/Value pairs that look similar to the below image. The Names should be identical to those depicted, while the Values will differ accordingly.

    Next, we need to add the SharePoint certificates to the EmpowerID Certificate store. We demonstrate this in the below section.


To add the SharePoint Certificates to EmpowerID

  1. In Configuration Manager, expand the EmpowerID Servers and Role node in the application navigation tree and then click the Manage Certificates node.
  2. Click the Add New button located above the Certificates grid and select From Local Store from the context menu.
  3. In the Windows Security dialog that appears, select the SharePoint SSL certificate you exported earlier, click OK and then click No when asked if the certificate requires a password. If you are using the EmpowerID SSL/STS certificate for your SharePoint server you can skip to step 5 below.
  4. Click Add New again and select From Local Store.
  5. In the Windows Security dialog that appears, select the SharePoint client certificate you exported earlier, click OK and then click Yes when asked if the certificate requires a password.
  6. Type the password for the certificate and then click OK.
  7. Next, we need to map the SharePoint client certificate to an EmpowerID Person. Because the SharePoint Web services are claims-based, EmpowerID uses this Person to access those services. This Person should be a new Person account that you create strictly for this purpose.

To map the SharePoint Client Certificate to an EmpowerID Person

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar, navigate to Person Manager by expanding Identities and clicking People.
  3. In the Actions pane, click the Create Person Advanced link.
  4. Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as a claims identity for the SharePoint Web service, you should name it accordingly. In our example, we are naming the Person "SharePoint Person Service Account."
  5. Specify a login in the Login field. (This user should never have to log in to EmpowerID.)
  6. Underneath Primary Business Role and Location, click Select a Role and Location.
  7. In the Business Role pane of the Business Role and Location selector that appears, type Temp, press ENTER and then click Temporary Role to select it.
  8. Click the Location tab to open the Location pane and then type Temp, press ENTER and click Temporary Role to select it.
  9. Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.
  10. Type All Access in the Management Role field and then click the tile for that role to select it.
  11. Click Save to create the EmpowerID Person.
  12. Once EmpowerID creates the person, navigate back to Person Manager by clicking the Find People breadcrumb at the top of the page.
  13. In Person Manager, search for the person you just created and then click the EmpowerID Login link for that person.
  14. This directs you to the View One page for the person. View One pages allow you to view details about an object in EmpowerID and make changes to those objects as needed.

  15. From the View One page for the person, expand the Editable Multivalued Fields accordion and then click the Edit link in the Mapped Login Certificates pane.
  16. Search for the SharePoint client certificate and then click the tile for the certificate to select it.
  17. Click the Save link.
  18. Next, we need to create a WS Federation Connection for SharePoint in EmpowerID. We demonstrate this in the below section.

To create a WS-Fed Connection for SharePoint

  1. From the Configuration Manager application tree, expand the Federation > WS-Federation nodes and then click WS-Federation Connections.
  2. click the Add New button located above the Configuration Manager grid.
  3. In the WS-Federation Single Sign-On Details screen that appears, do the following:
    1. Type a name for the WS-Federation connection in the Name field.
    2. Type a description for the WS-Federation connection in the Description field.
    3. Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name in the Map to Account Claim Type field.
    4. Type ~/Resources/Content/Images/Logos/EmpowerIDDark.png in the Image field.
    5. Select EmpowerID from the Account Store drop-down list.
    6. The screen should similar to the following image.

    7. Click Save.

    Next, we need to configure a federated trust between the EmpowerID Security Token Service (STS) and your SharePoint.

To configure a federated trust between EmpowerID and SharePoint

  1. Log in to Workflow Studio as an administrative user and from Solution Explorer, click the SharePoint tab to view the SharePoint resource system you just added to EmpowerID.
  2. The following steps need to be performed once for each nSharePoint farm in your environment.
  3. Click the node for your SharePoint system and wait for Workflow Studio to load your SharePoint sites.
  4. You should now see your sites in the SharePoint tree under your SharePoint resource system.

    If your SharePoint sites do not appear in the SharePoint tree, ensure that the SharePoint Management Web Service is enabled on at least one EmpowerID Web Role server and that the SharePoint Agent Server is set on the SharePoint Account Store Details screen.

  5. From the SharePoint tree, expand the node for your SharePoint site and then right-click your SharePoint Site Collection URL and select Enable SignIn/SignOut with Federation Trust from the context menu.
  6. Click Yes to confirm that you want to proceed with the overwrite.
  7. Right-click your SharePoint site collection URL again and select Register Federation Trust Claims Provider from the context menu.
  8. Click Yes to confirm you want to register the EmpowerID SharePoint Claims Provider.
  9. Click OK to close the Success message box.
  10. From the SharePoint tree, right-click your SharePoint site URL again and select Configure Security Token Service Federation Trust from the context menu.
  11. In the Federation Trust wizard that appears, click Next.
  12. Select the STS certificate and the Root Authority certificate and then click Next. (This is the Server certificate and the CA for that certificate configured for each EmpowerID Service.)
  13. Verify that the values for Identity Provider, Passive STS, Service Provider Connection and Realm are correct and click Next. The following image shows what the wizard looks like with the above values entered for our environment.
  14. Click Next to complete the registration.
  15. From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.
  16. From Central Administration, click Security section and then click the Manage Trust link underneath General Security.
  17. You should see EmpowerID listed as a Trusted Service Provider.

  18. Click the EmpowerID link to select it and then click the Edit button in the Trust Relationships ribbon.
  19. In the Establish Trust Relationship dialog that appears, verify the following and then click OK to close the dialog.
    • The Root Certificate thumbprint matches the STS root or STS intermediate certificate used in Step 10.
    • The Security Token Service (STS) certificate thumbprint matches the STS certificate used in Step 10.
  20. (Optional) - If the STS certificate used in Step 10 chains to a root certificate that has not yet been added to the SharePoint certificate store, return to the Trust Relationships page and click New.
  21. In the Establish Trust Relationship dialog that appears, type a name of your choosing in the Name field and then click the Browse button under Root Authority Certificate.

  22. Browse the file system and select the certificate that serves as the root certificate in the STS certificate chain and click OK.
  23. Click OK to close the Establish Trust Relationship dialog.

Now that the federated trust has been configured, you can convert your SharePoint sites from Windows Auth to Claims-based. We demonstrate this below.

To convert existing SharePoint sites to Claims Auth

The following steps need to be performed for each SharePoint web application that you wish to use Claims-based Authentication
  1. In Workflow Studio, right-click the root SharePoint site collection of the SharePoint web application that you wish to convert from Windows authentication to claims-based and select Use Claims-based Authentication Provider from the context menu.
  2. Click Yes to confirm you want to use EmpowerID as a claims-based authentication provider for the site collection.
  3. Click OK to close the Success message box.
  4. Back in the SharePoint tree of Workflow Studio, right-click the SharePoint site collection and select Recycle Web Server (IIS Reset) to Reset IIS one more time.
  5. Click Yes to reset IIS.
  6. Click OK to close the IIS reset completed message box.
  7. From the SharePoint tree, expand the SharePoint Central Administration node and then right-click the Central Administration site URL and select Open Web Site from the context menu.
  8. In the SharePoint Central Administration page that appears, under the Application Management section, click Manage web applications.
  9. In the Web Applications Management page that appears, click the SharePoint web application you are federating with EmpowerID and then click the Authentication Providers button in the ribbon.
  10. In the Authentication Providers dialog that appears, click the desired SharePoint zone for the SharePoint web application you are federating with EmpowerID.
  11. In the Edit Authentication page that appears, scroll to the Claims Authentication Types pane, select Trusted Identity Provider and then select EmpowerID.
  12. Scroll down to the bottom of the Edit Authentication page and click Save.
  13. The following steps need to be performed for each SharePoint site collection that resides within a SharePoint web application that uses Claims-based Authentication.
  14. From Central Administration, click Application Management and then click Change site collection administrators under Site Collections.
  15. In the Site Collection Administrators page, click the Browse button to the right of the Secondary site collection administrator field.
  16. In the Select People dialog that appears, click the People node under the EmpowerID Identity Provider node and then click EmpowerID Built-In Administrator. This is necessary to allow the EmpowerID Administrator the ability to log in to the SharePoint site to set permissions for your EmpowerID users once the site has been converted.
  17. Click OK to close the Select People dialog and then click OK to close the Site Collection Administrators page.
  18. The following steps need to be performed for each SharePoint server that services the web application being federated
  19. From the SharePoint tree of Workflow Studio, right-click the SharePoint site again and select Configure Web.Config for Security Token Service Federation Trust from the context menu.
  20. You should make a backup of the Web config file before proceeding with the steps below.
  21. In the EmpowerID STS SharePoint Web.Config Configuration dialog that appears, do the following:
    1. Ensure the Site Collection, Passive STS, and Realm fields are populated correctly. If any are incorrect, add the correct values.
    2. Select the Relying Party certificate from the Relying Party Certificate drop-down. (This is the same Server certificate configured for each EmpowerID Service.)
    3. Click the Web.Config button (...) and type the path to the Web.config file for your SharePoint site in the dialog. By default, this file is located at "\\servername\c$\inetpub\wwwroot\wss\VirtualDirectories\".
    4. Ensure that both the Passive STS Require STS and Create Federation Trust with EmpowerID based on the RP certificate, Realm and Site Collection if one does not already exist options are selected.
    5. Ensure that the Realm value is the FQDN of your SharePoint server and/or load balancer with /_trust appended.

    The EmpowerID STS SharePoint Web.Config Configuration dialog should look similar to the following image:

  22. Click the Update Web.Config button.
  23. Click Yes in the Confirmation message box.
  24. Click OK to close the Success message box.
If you have an external DNS alias for your SharePoint site, you must configure a trusted endpoint for it in Workflow Studio, as demonstrated below.

To configure a Trusted Endpoint for a DNS alias

  1. If you have an external DNS alias for your SharePoint site, log in to Workflow Studio and click the Application Menu, click the Management Tools link and then click Trusted EndPoint Configuration.
  2. On the Trusted EndPoint Configuration tab, on the right hand side under Certificates, right click your certificate and choose Add New Trust URI.
  3. Enter the external DNS alias of your SharePoint environment appended with /_trust and click OK.

Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you need to turn on inventory and enable SharePoint Group Enforcement claims in EmpowerID. We demonstrate this below.

To enable inventory and claims enforcement

  1. Return to the SharePoint Account Store Details screen in the EmpowerID Management Console.
  2. In the Inventory pane of the SharePoint Account Store Details screen, toggle the Enable Inventory button from a red sphere to a green check box to enable EmpowerID to inventory your SharePoint objects.
  3. In the SharePoint Group Claim Enforcement pane of the SharePoint Account Store Details screen, toggle the Enable this Functionality button from red sphere to a green check box to enable SharePoint Group Claim Enforcement to occur.

Now that EmpowerID has been configured as a claims provider for the SharePoint Site Collection, you can (optionally) grant permissions to your EmpowerID users for SharePoint access. We demonstrate this below by granting all EmpowerID Business Roles membership to the Viewers SharePoint group.

To grant SharePoint permissions to EmpowerID users

  1. From Workflow Studio, right-click the SharePoint Site and select Grant Business Role and Location Permission to SharePoint Group from the context menu.
  2. In the Business Role and Location Selector that opens, select the desired Business Role from the Business Roles tree and the desired location from the Locations tree and then click OK. In our example, we have selected Any Role in Anywhere.
  3. In the Grant Business Role and Location Permission dialog that appears, select the desired SharePoint group(s) from the lower pane and then clickOK.
  4. Click Yes to confirm your decision.
  5. Your EmpowerID users should now be able to log in to the SharePoint site using EmpowerID as the claims provider. You can test this by navigating to the SharePoint site from your browser. You should be redirected to the EmpowerIDWebIdPWSFederation application, where you will be prompted to enter your EmpowerID credentials.

  6. Enter your credentials and click Login. You should be authenticated in EmpowerID and redirected to the SharePoint site.

If you have customized SharePoint master pages for any Web application, you must add the Any Role in Anywhere Business Role and Location to the User Policy for that Web application; otherwise, SharePoint will deny your EmpowerID users access to your SharePoint sites.

  1. From Workflow Studio, right-click the SharePoint Site and select Apply EmpowerID Any Role in Anywhere Policies from the context menu.
  2. Make sure that the Any Role and Anywhere nodes are selected in the Business Role and Location Selector OK.