How to setup AM as a SAML idP for Sharepoint 2019

Overview

This page will guide you on how to configure AM as a SAML idP, so that it can issue identity tokens to Sharepoint.

Note that all the information in this blog was written based on Sharepoint version 2019 and AM 6.5.2. While those steps might work in different versions, you might need to make modifications accordingly.

Basic knowledge of SSO standards like SAML and AM and Sharepoint administration will be really helpful specially if you are trying to troubleshoot something.

AM Configuration:

You will need three things configured in AM: Circle of Trust (CoT), a hosted idP and a hosted SP.

Step 1 — Setup the hosted idP:

Login to AM as an administrator and click on the realm you want to setup the idP. I will pick the adusers realm.

Click on Applications -> Federation on the left menu. Then Click on the “Entity Providers” tab.

Click on the “New” button under Entity Providers and choose “WS-Fed”

On the “Create WS-Federation Entity Provider” page enter the following information and click on the “create” button:

Realm: adusers
Entity Identifier: http://am1.mycorp.com:8080/am/openam-wsfed-idp (You could really use any name here)
Identity Provider — Meta Alias: openam-wsfed-idp
Identity Provider — Signing certificate alias: test (Note that this cert needs to exist in your AM keystore or you will get an error)

Once the idP is created, click on the newly created idP to see the details and then IDP tab and change the following information:

Name ID Attribute (optional — Only modify this setting if using AD as the user store): samaccountname
Attribute Mapper: EmailAddress=mail
Assertion Effective Time: 3600

The attribute mapper “EmailAddress=mail” is the identity assertion that Sharepoint will use.
We have changed the assertion effective time to 3600 because by default it’s set 600 and Sharepoint will use this assertion as the session timeout. once it times out, Sharepoint will send the user back to AM to reauthenticate. You may increase this value is needed.

Step 2 — Setup the hosted SP:

Click on the “New” button under Entity Providers and choose “WS-Fed”

On the “Create WS-Federation Entity Provider” page enter the following information and click on the “create” button:

Realm: adusers
Entity Identifier: http://sharepoint.mycorp.com:8080/ (Use your sharepoint page as the identifier)
Service Provider — Meta Alias: sharepoint-sp

Once the SP is created, click on it to see the details, then General tab and change the following information:

Token Issuer Endpoint: http://sharepoint.mycorp:8080/_trust/

Step 3 — Create the circle of trust:

Click on the “New” button under Circle of Trust. On the “Create Circle of trust” page, give it a name (It doesn’t matter the name you give the CoT) and add both the idP and SP created on steps 1 and 2 under “Entity Providers”

Export the idP certificate:

The next step is to export the AM certificate so Sharepoint can trust it as their idP.

The most important thing here is to export the correct certificate. Remember we set the Signing Certificate Alias to test when we were creating the idP. This is the certificate we need to export but where is it located?

Let’s start by looking at which keystore AM is using. Open AM and login as the administrator. Go to Configure -> Server Defaults. At the server defaults, general page, click on “Security” in the left menu, then “Key Store” tab. The file specified in the “Keystore file” field is the keystore being used.

Next, let’s make sure the “test” certificate is in the keystore by running the following command to list all the certificates in this keystore:

keytool -list -v -keystore keystore.jceks -storetype JCEKS -storepass `cat .storepass`

Now we know the certificate is in there as it should because we wouldn’t be able to create the idP if the certificate name did not exist in the keystore. Let’s export the certificate by running the following command:

keytool -export -alias test -file amcert.cer -keystore keystore.jceks -storepass `cat .storepass` -keypass `cat .keypass` -rfc -storetype JCEKS

Copy this certificate somewhere in the Sharepoint server so we can use it in the next step

Configure Sharepoint:

We are not going to get into how to configure the web application and the site in this tutorial. We assume those are already created before we continue to those next steps.

Open the Sharepoint 2019 Management shell as an administrator (run as administrator) and run the following commands:

Let’s create a certificate object from the certificate exported in the previous step from AM. Make sure you have the correct path to where you copied the certificate to in the Sharepoint server:

$cert = New-Object system.security.cryptography.x509certificates.x509certificate2("C:\certificate\amcert.cer")

Then create the claim type mapping:

$map = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/claims/EmailAddress"
-IncomingClaimTypeDisplayName "EmailAddress"
-LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Create the realm/EntityID that SharePoint uses when communicating with the IdP. I used the Sharepoint fqdn from my environment. Make sure you change it accordingly to match yours:

$realm = "http://sharepoint.mycorp.com:8080/"

The URL Sharepoint redirects the user to login. Make sure to include the realm (adusers for my environment):

$signinurl = "https://am1.mycorp.com:8080/am/WSFederationServlet/metaAlias/adusers/openam-wsfed-idp"

Now let’s create the Trusted Identity Token Issuer in Sharepoint:

$idp = New-SPTrustedIdentityTokenIssuer -Name "AM Federation" -Description "AM 6.5 idP"
-Realm $realm -SignInUrl $signinurl -ImportTrustCertificate $cert -ClaimsMappings $map
-IdentifierClaim $map.InputClaimType

And finally add the idP certificate to the list of trusted root certificates in Sharepoint. If you are not using a self signed certificate, make sure you import the CA certificate here.

New-SPTrustedRootAuthority -name "AM" -Certificate $cert

You are done with the Sharepoint management shell (for now). Next, import the AM certificate into the trusted root certificate in Windows using MMC.

After doing the above you can go into Sharepoint 2010 Central Administration. Go into Application Management -> Manage Web Applications, select your claims based web application and click on “Authentication Providers” in the ribbon. Go to “Default” zone and scroll down on the list until you see “Trusted Identity provider” and “AM Federation” under it. Check both “Trusted Identity provider” and “AM Federation” and save the settings.

If your site allows access to any authenticated user you should now be able to login. Otherwise you will first need to add the users from the federated authentication to necessary groups in Sharepoint.

In my testing I was getting an error only when using AM as the idP. After some troubleshooting I found that I had to give access to the user’s UPN to the web application. The user was logged in successfully once I gave the correct permission.

When logging in Sharepoint should now display a dialog box allowing selection between Windows authentication or AM Federation. Selecting AM brings you to the AM login page and after logging in you should be redirected back to the Sharepoint site.

You are done!

Some information from this blog was taken from this article: https://wikis.forgerock.org/confluence/pages/viewpage.action?pageId=14090356