Step 1: Create a new Azure AD directory or use your existing directory
In the Azure Portal (https://portal.azure.com), create a new directory. Provide the organization name, initial domain name, and the country or region.
If you already have a directory such as the one used for Microsoft Office 365 or your Microsoft Azure subscription, you can use that directory instead. You must have permissions to register applications in the directory.
Step 2: Ensure the zone for the web application that you want to secure with Azure AD is configured to use SSL
Using SAML requires the application be configured to use SSL. If your SharePoint web application is not configured to use SSL, you should configure the web application for SSL. Production environments should use a signed certificate.
Step 3: Register a new appliction in Azure AD
- In the Azure Portal (https://portal.azure.com), open your Azure AD directory. Click App registrations, then click New application registration. In opened window provide a name such as SharePoint SAML Integration, Application type - Web app / API and Sign-on URL - url to your SharePoint site and click Create.
- Save Application ID and Object ID that are visible in the newly opened window.
- Click Settings, then click Reply URLs and add /_trust/ to your URL
- Open metadata file https://login.microsoftonline.com/<Azure AD directory name or Id>/FederationMetadata/2007-06/FederationMetadata.xml and save certificate to CRT file from first <X509Certificate> section.
- Save SingleSignOnService url from metadata (replacing /saml2 with /wsfed). Replace the /saml2 value in the URL with /wsfed. The /saml2 endpoint will process SAML 2.0 tokens. The /wsfed endpoint enables processing SAML 1.1 tokens and is required for SharePoint SAML federation.
Step 4: Configure a new trusted identity provider in SharePoint
Sign into the SharePoint server and open the SharePoint Management Shell. Fill in the values of $realm, $wsfedurl, and $filepath and run the following commands to configure a new trusted identity provider.
$realm = "spn:<AAD application Id from point step 3.2>"$wsfedurl="<SAML single sign-on service URL from step 3.5>"$filepath="<Full path to SAML signing certificate file from step 3.4>"$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Next, follow these steps to enable the trusted identity provider for your application:
- In Central Administration, navigate to Manage Web Application and select the web application that you wish to secure with Azure AD.
- In the ribbon, click Authentication Providers and choose the zone that you wish to use.
- Select Trusted Identity provider and select the identify provider you just registered named AzureAD.
- On the sign-in page URL setting, select Custom sign in page and provide the value “/_trust/”.
- Click OK.
Step 5: Add a SAML 1.1 token issuance policy in Azure AD
When the Azure AD application is created in the portal, it defaults to using SAML 2.0. SharePoint requires the SAML 1.1 token format. The following script will add a new policy to issue SAML 1.1 tokens. This code requires downloading the accompanying samples SAMLConfigPolicies.zip. Extract this archive and put path to folder with files in script below.
Make sure that you specify the application owner credentials in the request window that will pop up during the script execution.
cd <Path to SAMLConfigPolicies folder>Import-Module .\Initialize.ps1$Id = "<AAD object Id from point step 3.2>"$policy = Add-TokenIssuancePolicy -DisplayName SharePointSAML11 -SigningAlgorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" -TokenResponseSigningPolicy TokenOnly -SamlTokenVersion "1.1"Set-PolicyToApplication -policyId $policy.objectId -ApplicationId $Id
For more details on Token Issuance Policies with Azure AD, see the Graph API reference for operations on policy.
Step 6: Verify the new provider
Open a browser to the URL of the web application that you configured in the previous steps. You are redirected to sign into Azure AD.
You are asked if you want to stay signed in.
Finally, you can access the site logged in as a user from your Azure Active Directory tenant.