Configuring authentication providers
You must configure the adapter with one of the authentication providers that is supported by the Microsoft SharePoint Web Application. Authentication providers can be AD Domains or a claims provider.
The following tables list the supported Microsoft SharePoint Servers, authentication modes and authentication providers for accounts provisioned from the IBM Security Verify Microsoft SharePoint adapter.
Server version | Authentication mode | Authentication Provider |
---|---|---|
Microsoft SharePoint 2013 and Microsoft SharePoint 2016 |
|
|
Information about authentication providers is stored in a configuration file, which is in JSON format. The adapter reads this file and reconciles the list of authentication providers as supporting data.
- DisplayName
- NameOfOriginalIssuer
- IssuerType
- ClaimsValueType
- ClaimsType
- Prefix
[
{
"DisplayName" : "Windows Authentication (EXAMPLEDOMAIN)",
"NameOfOriginalIssuer" : "EXAMPLEDOMAIN",
"IssuerType" : "w",
"ClaimsValueType" : ".",
"ClaimsType" : "#",
"Prefix" : "i:0#.w|EXAMPLEDOMAIN"
},
{
"DisplayName" : "Some Membership Provider",
"NameOfOriginalIssuer" : "SomeMembershipProvider",
"IssuerType" : "f",
"ClaimsValueType" : ".",
"ClaimsType" : "#",
"Prefix" : "i:0#.f|SomeMembershipProvider|"
},
{
"DisplayName" : "Example ACS",
"NameOfOriginalIssuer" : "Example ACS",
"IssuerType" : "t",
"ClaimsValueType" : ".",
"ClaimsType" : "5",
"Prefix" : "i:05.t|Example ACS|"
}
]
JSON Object element in the previous example | Authentication provider |
---|---|
Element #1 | Windows Authentication provider |
Element #2 | Forms-Based Authentication provider that is using a String logon name as Claims Value |
Element #3 | Trusted Identity Provider that is using email as Claims Value |
[
{
"DisplayName" : "EXAMPLEDOMAIN",
"NameOfOriginalIssuer" : "",
"IssuerType" : "",
"ClaimsValueType" : "",
"ClaimsType" : "",
"Prefix" : "EXAMPLEDOMAIN"
}
]
Generating the configuration file
A Powershell script is provided to assist with generating the configuration file.
powershell authprovimport.ps1 -WebApplication http://[sharepointserver]:[port]
-SaveAs [filename.json]
Copy the configuration file to a location on the server that is running the Adapter Dispatcher service. For example, save the file under TDI_HOME\timsol\SharePointAdapter folder. Create the SharePointAdapter folder if it does not exist.
SharePoint Site Configuration
If the Microsoft SharePoint site is configured with some other authentication (for exmaple, Form-Based Authentication), we can still manage the site through adapter either by using Basic Authentication or NTLM authentication.
The following steps are recommended to ensure the Adapter works with the Microsoft SharePoint site.
- Extend the SharePoint Web Application to a new IIS Web Site.
- Configure the Authentication Provider for the newly extended site.
- Select the check box for Enable Windows Authentication.
- Select the check box for Integrated Windows authentication(NTLM)/Basic
authentication.Note: This configuration option depends on the authentication with which the adapter will be configured on IBM Security Verify Governance Identity Manager or IBM Security Verify Governance.
- Configure the new IIS Website for SSL.
- Import the SSL certificate into the Adapter Dispatcher's certificate trust store (view the IDI_HOME/timsol/solution.properties file and search for property javax.net.ssl.trustStore to determine the location of the trust store file).
For more detailed instructions, refer to the Microsoft SharePoint documentation.