Configuring authentication providers

Edit online

You must configure the adapter with one of the authentication providers that is supported by the Microsoft SharePoint Web Application. Authentication providers can be AD Domains or a claims provider.

The following tables list the supported Microsoft SharePoint Servers, authentication modes and authentication providers for accounts provisioned from the IBM Security Verify Microsoft SharePoint adapter.

Table 1. Supported Microsoft SharePoint Servers, authentication modes and authentication providers for accounts provisioned
Server version Authentication mode Authentication Provider
Microsoft SharePoint 2013 and Microsoft SharePoint 2016
  1. Classic Mode
  2. Claims Based Authentication(NTLM)
  1. Integrated Windows (AD)
  2. Forms Based Authentication (FBA)

Information about authentication providers is stored in a configuration file, which is in JSON format. The adapter reads this file and reconciles the list of authentication providers as supporting data.

The configuration file must have a single JSON array only. Each authentication provider is stored as a JSON Object element in the array with the following keys:
  • DisplayName
  • NameOfOriginalIssuer
  • IssuerType
  • ClaimsValueType
  • ClaimsType
  • Prefix
Example of a configuration file with information about the authentication providers.
Note: White spaces added for readability.
[
	{
		"DisplayName" : "Windows Authentication (EXAMPLEDOMAIN)",
		"NameOfOriginalIssuer" : "EXAMPLEDOMAIN",
		"IssuerType" : "w",
		"ClaimsValueType" : ".",
		"ClaimsType" : "#",
		"Prefix" : "i:0#.w|EXAMPLEDOMAIN"
	}, 
	{
		"DisplayName" : "Some Membership Provider",
		"NameOfOriginalIssuer" : "SomeMembershipProvider",
		"IssuerType" : "f",
		"ClaimsValueType" : ".",
		"ClaimsType" : "#",
		"Prefix" : "i:0#.f|SomeMembershipProvider|"
	}, 
	{
		"DisplayName" : "Example ACS",
		"NameOfOriginalIssuer" : "Example ACS",
		"IssuerType" : "t",
		"ClaimsValueType" : ".",
		"ClaimsType" : "5",
		"Prefix" : "i:05.t|Example ACS|"
	}
]
Table 2. Authentication providers listed in the example
JSON Object element in the previous example Authentication provider
Element #1 Windows Authentication provider
Element #2 Forms-Based Authentication provider that is using a String logon name as Claims Value
Element #3 Trusted Identity Provider that is using email as Claims Value
For a full explanation on the valid values for IssuerType, NameOfOriginalIssuer, ClaimsValueType, and ClaimsType, see the Microsoft SharePoint Products and Technologies Protocol Documentation. With the four values, it is then trivial to create the Prefix. If the site runs on a Classic Mode authentication web application, the configuration file typically looks like the following example:
[
	{
		"DisplayName" : "EXAMPLEDOMAIN",
		"NameOfOriginalIssuer" : "",
		"IssuerType" : "",
		"ClaimsValueType" : "",
		"ClaimsType" : "",
		"Prefix" : "EXAMPLEDOMAIN"
	}
]

Generating the configuration file

A Powershell script is provided to assist with generating the configuration file.

Run the script on the SharePoint server with administrator privilege in a command prompt: 
powershell authprovimport.ps1 -WebApplication http://[sharepointserver]:[port] 
	-SaveAs [filename.json]

Copy the configuration file to a location on the server that is running the Adapter Dispatcher service. For example, save the file under TDI_HOME\timsol\SharePointAdapter folder. Create the SharePointAdapter folder if it does not exist.

SharePoint Site Configuration

If the Microsoft SharePoint site is configured with some other authentication (for exmaple, Form-Based Authentication), we can still manage the site through adapter either by using Basic Authentication or NTLM authentication.

The following steps are recommended to ensure the Adapter works with the Microsoft SharePoint site.

  1. Extend the SharePoint Web Application to a new IIS Web Site.
  2. Configure the Authentication Provider for the newly extended site.
    1. Select the check box for Enable Windows Authentication.
    2. Select the check box for Integrated Windows authentication(NTLM)/Basic authentication.
      Note: This configuration option depends on the authentication with which the adapter will be configured on IBM Security Verify Governance Identity Manager or IBM Security Verify Governance.
  3. Configure the new IIS Website for SSL.
  4. Import the SSL certificate into the Adapter Dispatcher's certificate trust store (view the IDI_HOME/timsol/solution.properties file and search for property javax.net.ssl.trustStore to determine the location of the trust store file).

For more detailed instructions, refer to the Microsoft SharePoint documentation.

Important: Basic Authentication contains credentials are sent in clear text. It is highly recommended to configure the Adapter to communicate with SharePoint over Secure Sockets Layer (SSL) to protect the credentials.