Create SharePoint Identity Provider

The steps described below are to be performed from the VM where Lanteria HR is installed, currently logged in user should have full control permissions for the SharePoint farm (typically this is a system account which was used to install and configure SharePoint).

Create Authentication Provider

1. Copy the script below and modify variables.

2. Start PowerShell as Administrator, paste the script and press Enter.

#Load SharePoint PS snap-in
Add-PSSnapin *SharePoint*
# ___________________________________
# VARIABLES, THAT SHOULD BE CHANGED:

#Realm name (configured in appsettings.json)
$Realm =           "urn:sharepoint:name"

# Certificates Names (should be unique) and Paths
$RootCertName =    "CONTOSO Token Root Certificate"
$RootCertPath =    "C:\cert\sp13gRoot.cer"
$SigningCertName = "CONTOSO Token Signing Certificate"
$SigningCertPath = "C:\cert\sp13g.cer"

# URL, obtained in external DNS Zone for Identity Provider, with /wsfederation/ at the end
$TIPSignInUrl =    "https://login-test.lanteriaonline.com/wsfederation/"


# SP Trusted Identity Provider, that will be shown on Authentication Providers page (short name, without spaces, shorter - better)
$TIPName =         "Contoso"
 

# Add the Root CA for the Identity Server token signing certificate to Sharepoint
$RootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($RootCertPath)
New-SPTrustedRootAuthority -Name $RootCertName -Certificate $RootCert
 
# Add the Identity Server token signing certificate to Sharepoint
$SigningCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($SigningCertPath)
New-SPTrustedRootAuthority -Name $SigningCertName -Certificate $SigningCert
 
# Add SP Claim Type Mapping
$EmailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
 
# Create SP Trusted Identity Provider, try to select shortest name
New-SPTrustedIdentityTokenIssuer -Name $TIPName -Description "WS-Federation Identity Provider" -Realm $Realm -SignInUrl $TIPSignInUrl -ClaimsMappings $EmailClaimMap -IdentifierClaim $EmailClaimMap.InputClaimType -ImportTrustCertificate $SigningCert -UseWReply

Set Authentication Provider for SharePoint Web Application

Use the following steps to configure your SharePoint installation for the new identity provider for Microsoft Entra ID:

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
2. In Central Administration, on the home page, click Application Management.
3. On the Application Management page, the Web Applications section, click Manage web applications.
4. Select the relevant web application.
5. Next, click Authentication Providers on the ribbon.
6. Under Zone, click the name of the zone. For example, Default.
7. In the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your provider and click OK.
   The following figure illustrates an example of the Trusted Provider settings. At least one authentication type must be selected (you can select more than one, if necessary).