This section contains instructions on how to integrate RSA SecurID Access with Microsoft SharePoint 2019 using a WS-Fed SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as an SSO Agent WS-Fed IdP to Microsoft SharePoint 2019.

Procedure

1. Log in  to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Microsoft SharePoint WS-Fed and click +Add to add the connector.

2. In the Basic Information tab, enter a name for the application in the Name field and click the Next Step button.
3. Scroll to the SAML Identity Provider section on the Connection Profile tab and copy the value from the Identity Provider URL field to paste it in the Connection URL field.

4. A private/public key pair must be imported to sign and validate SAML assertions. Follow the following steps to generate a certificate bundle: 

1. Scroll to the SAML Response Signature section and click the Generate Certificate Bundle button.
2. In the Common Name (CN) field, enter the host name of the SharePoint service provider’s server that will be sending authentication requests.
3. Click the Generate and Download button, save the certificate bundle ZIP file to a secure location and extract its contents. The ZIP file will contain private key, public key, public certificate and certificate signing request.

5. Click the Choose File button on the left of the Generate Certificate Bundle button, locate and select a private key for signing SAML assertions and click the Open button.
6. Click the Choose File button underneath the Generate Certificate Bundle button, locate and select your public certificate and click the Open button. Copy this signing certificate to the SharePoint server to be  used in its configuration.
7. Select Include Certificate in Outgoing Assertion check box.

8. Enter your relying party URL in the Relying Party URL field. The URL format is: https://<SharePoint URL>:<port number>/_trust.

9.  Enter the relying party ID in the Relying Party ID field. This same value should be used as the  SharePoint realm name when configuring SharePoint. Use the format urn:<string 1>:<string 2>. You may choose any values for <string 1> and <string 2>.
10. Decide which claim type(s) you will use to identify an authenticated user. This guide  uses email as an Identity claim .Please refer to Microsoft documentation to get the latest list of supported claims . To configure the claim, perform the following steps:

1. Under Statement Attributes section, Select Identity Source from the Attribute Source drop-down list.
2. In the Attribute Name field, enter the attribute name that corresponds to your claim. The attribute name in this example is emailaddress.Note down the attribute name used here as it will be used in SharePoint configurations.
3. Select the name of your user identity source from the Identity Source drop-down list.
4. Select mail from the Property drop-down list.
5. Attribute Name given here should match the IncomingClaimTypeDisplayName given while configuring Microsoft SharePoint.

11. Click the Next Step button.
12. On the User Access page, configure the Access Policy settings and click Next Step button.

13. On the Portal Display page, click Next Step button. Fulfillment service is disabled for our testing.
14. Click Save and Finish. Click Publish Changes on the top of the page.

Notes

It is necessary to configure Microsoft SharePoint web application with SSL. Consult Microsoft documentation for instructions to configure SSL. If SharePoint web application is configured with default SSL port (port 443), then it is not necessary to specify port number in the Relying Party URL.

Configure Microsoft SharePoint 2019

Follow the steps in this section to configure Microsoft SharePoint 2019 as an SSO Agent WS-Fed SP to RSA Cloud Authentication Service

Procedure

This section is divided into the following subsections:

1. Create a Trusted Root Authority
2. Create a Trusted Identity Token Issuer for RSA SecurID Access
3. Configure a SharePoint Web Application to use the RSA SecurID Access Token Issuer
4. Configure additional SharePoint web applications for RSA SecurID Access Integration (optional)

 Create a Trusted Root Authority

1. Log into your SharePoint server host and open the SharePoint Management Shell.
2. Create a root certificate object using the signing certificate  downloaded from SecurID Access and copied to SharePoint server. Replace c:\certs\cert.pem with the path and name of your signing certificate. 

$root_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\certs\cert.pem") 

3. Create a trusted root authority for your token issuer and set the root certificate. Replace SECURID_ACCESS with the name you want to give to your trusted root authority.

Create a Trusted Identity Token Issuer for RSA SecurID Access

1. In the SharePoint Management Shell ,enter the command below to create (a) claim type(s) mapping (s). Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL (s). IncomingClaimTypeDisplayName should be same as the Attribute name used while configuring RSA.

$email_claim = New-SPClaimTypeMapping –IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "emailaddress" –SameAsIncoming

2. Enter the command below to create a variable to hold the name of your realm. This value should be same as the Relying Party ID value configured in RSA. 

$realm = " urn:sharepoint2019:defaultsite "

3. Execute the command below to create Identity Token Issuer after replacing the values inside angled brackets.

 $issuer = New-SPTrustedIdentityTokenIssuer -Name "<NAME-OF-YOUR-TOKEN-ISSUER>" –Description "<ANY VALID DESCRIPTION >" -realm $realm -ImportTrustCertificate $root_cert -ClaimsMappings $email_claim -SignInUrl "<IDENTITY PROVIDER URL COPIED FROM RSA>+&" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

!Important: The New-SPTrustedIdentityTokenIssuer command’s SignInUrl parameter must be appended with an “& “ symbol. If Identity provider  URL is https://portal.sso.pe.rsa.net/IdPServlet?idp_id=abc, set the SignInUrl to https://portal.sso.pe.rsa.net/IdPServlet?idp_id=abc& in the command above.

Follow the steps in the next section to enable RSA SecurID Access authentication on the SharePoint 2019 web application.

Configure a SharePoint Web Application to Use the RSA SecurID Access Token Issuer

1. Open SharePoint Central Administration and click the Manage web applications link under Application Management. 

2. Highlight the web application you want to configure and click the Authentication Providers button. 

3. Click the Default link on the Authentication Providers dialog box.

4. Confirm that the Integrated windows Integration checkbox is checked and that NTLM is selected in the dropdown list.

5. Check the Trusted Identity Provider check box.
6. Check the checkbox for the token issuer name you chose above.

7. Click the Save button.
8. Log in to the newly created SharePoint site as an administrator.
9. Click the gear icon on the top  and select  Site Permissions .
10. Click the Site permissions link in the Users and Permissions section of the Site Settings page.

11. Click Advanced Permissions settings. 

12. Click the Grant Permissions button at the top of the page.

13. Enter your token issuer name on the list.
14. Select the appropriate group/permission level from the dropdown based on your requirements and click the Share button.

Configure additional SharePoint web applications for RSA SecurID Access Integration

For configuring additional SharePoint web applications for RSA SecurID access protection, add additional "Microsoft SharePoint WS-Fed" connectors for each web application and create corresponding "Trusted Identity Token Issuer" for RSA SecurID Access in the SharePoint using the same procedure mentioned in RSA Cloud Authentication Service and Microsoft SharePoint configuration sections

Notes :

• While creating an additional "Trusted Identity Token Issuer", SharePoint does not allow us to reuse the same certificate that was used to create the first "Trusted Identity Token Issuer". Regenerate public certificate again using the “Generate Certificate Bundle" option and use it to create a new "Trusted Identity Token Issuer".
• Please refer to Microsoft documentation to check on the latest list of claims supported by Microsoft SharePoint.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

• All the links to the documentation are subject to change .Please refer to the latest documentation.

Configuration is complete.

Return to the main page for more certification related information.