Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
19 KiB
title |
---|
SharePoint Server SE |
Support level: Community
What is Microsoft SharePoint
SharePoint is a proprietary, web-based collaborative platform that integrates natively with Microsoft 365.
Launched in 2001, SharePoint is primarily sold as a document management and storage system, although it is also used for sharing information through an intranet, implementing internal applications, and for implementing business processes.
Organizations use Microsoft SharePoint to create websites.
You can use it as a secure place to store, organize, share, and access information from any device. All you need is a web browser, such as Microsoft Edge, Internet Explorer, Chrome, or Firefox.
-- https://support.microsoft.com/en-us/office/what-is-sharepoint-97b915e6-651b-43b2-827d-fb25777f446f
:::note There are many ways to implement SSO mechanism within Microsoft SharePoint Server Subscription Edition.
These guidelines provides the procedure to integrate authentik with an OIDC provider based on Microsoft documentation. (cf. https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad)
In addition, it provides the procedure to enable claims augmentations in order to resolve group memberships.
For all other integration models, read Microsoft official documentation. (cf. https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/plan-user-authentication) :::
:::caution This setup only works starting with authentik version 2023.10 and Microsoft SharePoint Subscription Edition starting with the Cumulative Updates of September 2023. :::
Preparation
When you configure OIDC with authentik, you need the following resources:
- A SharePoint Server Subscription Edition farm starting with CU of September 2023
- An authentik instance starting with version 2023.10
- (Optional) LDAPCP installed on the target SharePoint farm
:::info Ensure that the authentik and SharePoint Server clocks are synchronized. :::
These guidelines use the following placeholders for the overall setup:
Name | Placeholder | Sample value |
---|---|---|
authentik Application Name | auth.applicationName |
SharePoint SE |
authentik Application Slug | auth.applicationSlug |
sharepoint-se |
authentik OIDC Name | auth.providerName |
OIDC-SP |
authentik OIDC Configuration URL | auth.providerConfigURL |
https://authentik.company/application/o/sharepoint-se/.well-known/openid-configuration |
authentik OIDC Client ID | auth.providerClientID |
0ab1c234d567ef8a90123bc4567890e12fa3b45c |
authentik OIDC Redirect URIs | auth.providerRedirectURI |
https://sharepoint.company/.* |
(Optional) authentik LDAP Outpost URI | ldap.outpostURI |
ak-outpost-ldap.authentik.svc.cluster.local |
(Optional) authentik LDAP Service Account | ldap.outpostServiceAccount |
cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io |
(Optional) authentik LDAP Service Account Password | ldap.outpostServiceAccountPassword |
mystrongpassword |
SharePoint Default Web Application URL | sp.webAppURL |
https://sharepoint.company |
SharePoint Trusted Token Issuer Name | sp.issuerName |
Authentik |
SharePoint Trusted Token Issuer Description | sp.issuerDesc |
authentik IDP |
authentik configuration
Step 1: Create authentik OpenID Property Mappings
SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and be able to map incoming authentik OID Claims with Microsoft Claims.
Additional information from Microsoft documentation:
- https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens#validate-tokens
- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
Add an OpenID scope mapping for SharePoint
From the authentik Admin Dashboard:
- Open Customisation > Property Mappings page from the sidebar.
- Click Create from the property mapping list command bar.
- Within the new property mapping form, select Scope Mapping.
- Click Next and enter the following values:
- Name: SPopenid
- Scope name: openid
- Expression:
return {
"nbf": "0", # Identifies the time before which the JWT can't be accepted for processing.
# 0 stand for the date 1970-01-01 in unix timestamp
"oid": user.uid, # This ID uniquely identifies the user across applications - two different applications signing in the same user receives the same value in the oid claim.
"upn": user.username # (Optional) User Principal Name, used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
}
- Click Finish.
Add a profile scope mapping for SharePoint
From the authentik Admin Dashboard:
- Open Customisation > Property Mappings page from the sidebar.
- Click Create from the property mapping list command bar.
- Within the new property mapping form, select Scope Mapping.
- Click Next and enter the following values:
- Name: SPprofile
- Scope name: profile
- Expression:
return {
"name": request.user.name, # The name claim provides a human-readable value that identifies the subject of the token.
"given_name": request.user.name, # Interoperability with Microsoft Entra ID
"unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
"preferred_username": request.user.username, # (Optional) The primary username that represents the user.
"nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
"roles": [group.name for group in request.user.ak_groups.all()], # The set of roles that were assigned to the user who is logging in.
}
- Click Finish.
Step 2: Create authentik Open ID Connect Provider
From the authentik Admin Dashboard:
- Open Applications > Providers page from the sidebar.
- Click Create from the provider list command bar.
- Within the new provider form, select OAuth2/OpenID Provider.
- Click Next and enter the following values:
- Name:
auth.providerName
- Authentication flow: default-authentication-flow
- Authorization flow: default-provider-authorization-implicit-consent :::note use the explicit flow if user consents are required :::
- Redirect URIs / Origins:
auth.providerRedirectURI
- Signing Key: authentik Self-signed Certificate :::note The certificate is used for signing JWT tokens;, if you change it after the integration do not forget to update your SharePoint Trusted Certificate. :::
- Access code validity: minutes=5 :::note The minimum is 5 minutes, otherwise SharePoint backend might consider the access code expired. :::
- Access Token validity: minutes=15 :::note The minimum is 15 minutes, otherwise SharePoint backend will consider the access token expired. :::
- Scopes: select default email, SPopenid and SPprofile
- Subject mode: Based on the User's hashed ID
- Name:
- Click Finish.
Step 3: Create an application in authentik
From the authentik Admin Dashboard:
- Open Applications > Applications page from the sidebar.
- Click Create from the application list command bar.
- Within the new application form, enter the following values:
- Name:
auth.applicationName
- Slug:
auth.applicationSlug
- Provider:
auth.providerName
- (Optional) Launch URL:
sp.webAppURL
- (Optional) Icon: https://res-1.cdn.office.net/files/fabric-cdn-prod_20221209.001/assets/brand-icons/product/svg/sharepoint_48x1.svg
- Name:
- Click Create.
Step 4: Setup OIDC authentication in SharePoint Server
Pre-requisites
Update SharePoint farm properties
The following PowerShell script must be updated according to your environment and executed as Farm Admin account with elevated privileges on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments
:::
Add-PSSnapin microsoft.sharepoint.powershell
# Setup farm properties to work with OIDC
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$fileName = $rsaCert.key.UniqueName
#If you have multiple SharePoint servers in the farm, you need to export certificate by Export-PfxCertificate and import certificate to all other SharePoint servers in the farm by Import-PfxCertificate and apply the same permissions as below.
#After certificate is successfully imported to SharePoint Server, we will need to grant access permission to certificate private key.
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$fileName"
$permissions = Get-Acl -Path $path
#Please replace the <web application pool account> with the real application pool account of your web application.
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($env:computername)\WSS_WPG", 'Read', 'None', 'None', 'Allow')
$permissions.AddAccessRule($access_rule)
Set-Acl -Path $path -AclObject $permissions
#Then we update farm properties only once.
$f = Get-SPFarm
$f.Farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint
$f.Farm.Properties['SP-NonceCookieHMACSecretKey']='seed'
$f.Farm.Update()
SharePoint settings in case of SSL offloading
Update the SharePoint farm to accept OAuth authentication over HTTP.
The following PowerShell script must be updated according to your environment and executed as Farm Admin account with elevated privileges on a SharePoint Server.
Add-PSSnapin microsoft.sharepoint.powershell
$c = get-spsecuritytokenserviceconfig
$c.AllowOAuthOverHttp = $true
$c.update()
Create SharePoint authentication provider
The following PowerShell script must be updated according to your environment and executed as Farm Admin account with elevated privileges on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments.
:::
Add-PSSnapin microsoft.sharepoint.powershell
# OIDC Settings
$metadataendpointurl = "auth.providerConfigURL"
$clientIdentifier = "auth.providerClientID"
$trustedTokenIssuerName = "sp.issuerName"
$trustedTokenIssuerDescription = "sp.issuerDesc"
# OIDC Claims Mapping
## Identity claim: oid => defined within the Authentik scope mapping
$idClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/identity/claims/objectidentifier" -IncomingClaimTypeDisplayName "oid" -SameAsIncoming
## User claims mappings
$claims = @(
$idClaim
## User Roles (Group membership)
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::Role) -IncomingClaimTypeDisplayName "Role" -SameAsIncoming)
## User email
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::Email) -IncomingClaimTypeDisplayName "Email" -SameAsIncoming)
## User given_name
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::GivenName) -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming )
## (Optional) User account name
#,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::NameIdentifier) -IncomingClaimTypeDisplayName "Username" -SameAsIncoming)
)
# Trust 3rd party identity token issuer
$trustedTokenIssuer = New-SPTrustedIdentityTokenIssuer -Name $trustedTokenIssuerName -Description $trustedTokenIssuerDescription -ClaimsMappings $claims -IdentifierClaim $idClaim.InputClaimType -DefaultClientIdentifier $clientIdentifier -MetadataEndPoint $metadataendpointurl -Scope "openid email profile"
#Note: Remove the profile scope if you plan to use the LDAPCP claims augmentation.
# Create the SharePoint authentication provider based on the trusted token issuer
New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $trustedTokenIssuer
Configure SharePoint web applications
From the Central Administration opened as a Farm Administrator:
- Open the Application Management > Manage web applications page.
- Select your web application
sp.webAppURL
. - Click Authentication Providers from the ribbon bar.
- According to your environment, click on the target zone such as "Default".
- Update the authentication provider form as following:
- Check Trusted Identity Provider
- Check the newly created provider named
sp.issuerName
- (Optional) Set Custom Sign In Page: /_trust/default.aspx
- Click Save.
Repeat all steps for each target web applications that matches with auth.providerRedirectURI
.
(Optional) SharePoint enhancements
Objectives :
- Integrate SharePoint People Picker with authentik to search users and groups
- Augment SharePoint user claims at login stage
- Resolve user's membership
:::caution LDAPCP must be installed on the target SharePoint farm. :::
Step 1: Assign LDAPCP as claim provider for the identity token issuer
The following PowerShell script must be updated according to your environment and executed as Farm Admin account with elevated privileges on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments
:::
Add-PSSnapin microsoft.sharepoint.powershell
$trustedTokenIssuerName = "sp.issuerName"
$sptrust = Get-SPTrustedIdentityTokenIssuer $trustedTokenIssuerName
$sptrust.ClaimProviderName = "LDAPCP"
$sptrust.Update()
Step 2: Configure LDAPCP claim types
From the SharePoint Central Administration opened as a Farm Administrator:
- Open Security > LDAPCP Configuration > Claim types configuration page.
- Update the mapping table to match these value:
Claim type | Entity type | LDAP class | LDAP Attribute to query | LDAP attribute to display | PickerEntity metadata |
---|---|---|---|---|---|
http://schemas.microsoft.com/identity/claims/objectidentifier | User | user | uid | sn | UserId |
LDAP attribute linked to the main mapping for object User | User | user | |||
LDAP attribute linked to the main mapping for object User | User | user | sn | DisplayName | |
http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Group | group | cn | DisplayName | |
LDAP attribute linked to the main mapping for object Group | Group | group | uid | SPGroupID |
Step 3: Create an authentik LDAP Outpost
From the authentik Admin Dashboard:
:::note The following procedure apply to an authentik deployment within Kubernetes.
For other kinds of deployment, please refer to the authentik documentation. :::
- Follow authentik LDAP Provider Generic Setup with the following steps :
- Create User/Group to create a "service account" for
ldap.outpostServiceAccount
and a searchable group of users & groups - LDAP Flow to create the authentication flow for the LDAP Provider
- LDAP Provider to create an LDAP provider which can be consumed by the LDAP Application
- Create User/Group to create a "service account" for
- Open Applications > Applications page from the sidebar.
- Open the edit form of your application
auth.applicationName
. - In the edit form:
- Backchannel Providers: add the LDAP provider previously created
- Click Update.
Step 4: Configure LDAPCP global configuration
From the SharePoint Central Administration opened as a Farm Administrator:
- Open the Security > LDAPCP Configuration > Global configuration page.
- Add an LDAP connection with th following properties:
- LDAP Path: LDAP://
ldap.outpostURI
/dc=ldap,dc=goauthentik,dc=io - Username:
ldap.outpostServiceAccount
- Password:
ldap.outpostServiceAccountPassword
- Authentication types: check ServerBind
- LDAP Path: LDAP://
- Augmentation - Check Enable augmentation
- Augmentation - Select the Role claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
- Augmentation - Check only "Query this server" for your
ldap.outpostURI
- User identifier properties:
- LDAP class: user
- LDAP attribute: uid
- Display of user identifier results:
- Tick Show the value of another LDAP attribute: sn
- Click on "OK"
Note: The ldap.outpostURI
should be the IP, hostname, or FQDN of the LDAP Outpost service deployed accessible by your SharePoint farm.