SharePoint Views

ADFS as Identity provider for SharePoint 2010 Claims site – Part II

This blog post is continuation of Part I which explains how to configure ADFS as Identity provider for SharePoint.

In this blog I will explain the remaining 2 steps:

Step 2: Configure a Claims based Web Application

The configuration of a claims-based SharePoint web application can be achieved using Windows PowerShell. The steps to be followed are as follows

  1. From the Windows Power Shell command prompt (PS C:\>), create an x509Certificate2 object using the following code:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“path to cert file”)

  1. Create a claim type mapping to use in your trusted authentication provider using the following code

New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”-IncomingClaimTypeDisplayName “EmailAddress” –SameAsIncoming

  1. Create a trusted login provider by first creating a value for the realm parameter using the following code

$realm = “https://sitename/_trust/”

  1. Create a value for the signinurl parameter that points to the Security Token Service Web application using the following code

$signinurl = “https://sitename/adfs/ls/”

  1. Create the trusted login provider, using the same IdentifierClaim value as in a claim mapping ($map1.InputClaimType) using the following code.

$ap = New-SPTrustedIdentityTokenIssuer –Name “Adfs” -Description “Windows® Identity Foundation” –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1[,$map2..] –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

Complete script :

 $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\226Cert.cer”)

$map1 = New-SPClaimTypeMapping  “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”-IncomingClaimTypeDisplayName “EmailAddress” –SameAsIncoming

$realm = “https://sitename/_trust/”

$signinurl =” https://servername/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer –Name “Adfs” -Description “Windows Identity Foundation” –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType


Root Certificate Authority:

The certificate earlier exported in Step 1, is added as a Root Certificate in Central Administration via UI.

Step 3: Change the authentication for SharePoint Web Application
  • Go to Central Administration and go to Manage Web Applications page in Application management.
  • Select the Web application you created.
  • Click on the Authentication Providers and click on the Claims Based Authentication.
  • In the dialog box, scroll the authentication providers and select Trusted Identity Providers.
  • That will enable the Adfs which we have created in the earlier step.
  • Select the provider and click Ok.
  • Create a site collection in the web application.
  • To add the site collection administrator, click on the People picker and type the complete the email address of the user.
  • Now you should be able select the authentication provider from Windows Authentication and Adfs when you browse the site.
  • You can remove Windows authentication from the Authentication Providers if you don’t need it.

Now you have a SharePoint web application setup with ADFS as Identity provider.