Introduction
Many corporations are making the decision to open up their SharePoint Server to the outside world, to mobile users or for external collaboration with their partners. Because of security (and other) reasons, you don’t want to expose your SharePoint Server to the internet. So for the purposes of authentication, we can use an ADFS Server. In this case, an ADFS Server can also be used for multifactor authentication and connect it to other identity management systems.
Environment schema and authentication process
In order to enable authentication via an ADFS Server, the schema gets a bit more complex than if we only use SharePoint Server’s Active Directory authentication.
In our test environment, we have a classic SharePoint Server with a SQL Server for databases and one ADFS Server and a domain server for user authentication. Please note that the SharePoint web app should use the SSL protocol to access websites.
In our case, the authentication process is as follows:
- A user wants to open https://adfslogin.kompas-xnet.si in his browser.
- SharePoint receives a request to open a page. If we have multiple authentication models, the user can select the appropriate one. In our case, this is ADFS and when selected, it redirects the user to the ADFS Server.
- The ADFS Server receives the authentication request. The URL also contains the “Realm” and the URL of the web application for identifying the request.
- ADFS authenticates the user on the domain server.
The ADFS Server creates a token. - The ADFS Server sends the token with data to the user.
- The user sends the token to the SharePoint Server, which then authorizes the user.
Certificates
The ADFS Server uses multiple certificates. Depending on your ADFS settings, you must export different types of certificates and then import them to your SharePoint Server. The trust between SharePoint and ADFS Server is established through certificates. These can be domain certificates, issued by your local CA, or you can buy certificates from different vendors. If you wish to enable access to your SharePoint to users, who do not use your domain computers, you need to purchase a certificate.
In our case, we are going to use a certificate purchased at StartSSL www.startssl.com
In the screenshot, we can see that we are using a certificate with a common name of sts.kompas-xnet.si as our token signing certificate. This certificate must be exported and transferred to the SharePoint Server. When exporting the certificate, be careful to export it in the correct form. Make sure it does not contain a private key.
The end result of the exporting process is a file with the .cer extension. Read more about this topic in my second article.