Create SharePoint Identity Provider
  • 14 Nov 2023
  • 2 Minutes to read
  • Dark

Create SharePoint Identity Provider

  • Dark

Article summary

The steps described below are to be performed from the VM where Lanteria HR is installed, currently logged in user should have full control permissions for the SharePoint farm (typically this is a system account which was used to install and configure SharePoint).

Please note that $realm = "urn:sharepoint:name" should match realm value provided for Identity server settings.

Create Authentication Provider

1. Copy the script below and modify variables.

2. Start PowerShell as Administrator, paste the script and press Enter.

#Load SharePoint PS snap-in
Add-PSSnapin *SharePoint*
# ___________________________________

#Realm name (configured in appsettings.json)
$Realm =           "urn:sharepoint:name"

# Certificates Names (should be unique) and Paths
$RootCertName =    "CONTOSO Token Root Certificate"
$RootCertPath =    "C:\cert\sp13gRoot.cer"
$SigningCertName = "CONTOSO Token Signing Certificate"
$SigningCertPath = "C:\cert\sp13g.cer"

# URL, obtained in external DNS Zone for Identity Provider, with /wsfederation/ at the end
$TIPSignInUrl =    ""

# SP Trusted Identity Provider, that will be shown on Authentication Providers page (short name, without spaces, shorter - better)
$TIPName =         "Contoso"

# Add the Root CA for the Identity Server token signing certificate to Sharepoint
$RootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($RootCertPath)
New-SPTrustedRootAuthority -Name $RootCertName -Certificate $RootCert
# Add the Identity Server token signing certificate to Sharepoint
$SigningCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($SigningCertPath)
New-SPTrustedRootAuthority -Name $SigningCertName -Certificate $SigningCert
# Add SP Claim Type Mapping
$EmailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
# Create SP Trusted Identity Provider, try to select shortest name
New-SPTrustedIdentityTokenIssuer -Name $TIPName -Description "WS-Federation Identity Provider" -Realm $Realm -SignInUrl $TIPSignInUrl -ClaimsMappings $EmailClaimMap -IdentifierClaim $EmailClaimMap.InputClaimType -ImportTrustCertificate $SigningCert -UseWReply

Set Authentication Provider for SharePoint Web Application

Use the following steps to configure your SharePoint installation for the new identity provider for Microsoft Entra ID:

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
  2. In Central Administration, on the home page, click Application Management.
  3. On the Application Management page, the Web Applications section, click Manage web applications.
  4. Select the relevant web application.
  5. Next, click Authentication Providers on the ribbon.
  6. Under Zone, click the name of the zone. For example, Default.
  7. In the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your provider and click OK.
    The following figure illustrates an example of the Trusted Provider settings. At least one authentication type must be selected (you can select more than one, if necessary).
Accounts are displayed in the following format: i:0e.t|acs provider| (where is email of the employee).
To ensure that account is assigned correctly, it is recommended to copy and paste it from the mail box.
Account should be specified in the AD Account field of the employee card and added to the relevant SharePoint permissions group.
Lanteria HR does not quere Microsoft Entra ID to validate the account, please be attentive when adding accounts to the employee records.
Domain group Everyone should be added to the ESM group.

Was this article helpful?