Configure EAA as the STS provider to access a SaaS application

Configure EAA as the STS provider to access a SaaS application that supports WS federation protocol.

Configure Enterprise Application Access (EAA) as the identity provider (IdP), acting as the secure token service (STS) provider for an application that supports WS- Federation protocol.

How to

  1. Add an application to EAA.
    1. Log in to the EAA Management Portal.
    2. From the top menu bar, click Applications > Add Application.
    3. Select a SaaS application.
    4. Enter an application name and an optional description.
    5. In the Protocol menu select WS-Federation.
    6. Click Create App and Configure. The application General settings tab opens.
    7. In the General tab settings, under Application identity section:
      1. In the Application URL field, enter the external URL of the application, like the Sharepoint site. The application URL is the path that users navigate to in their browser to access the application. For example:
      2. To Hide Application from Login Portal, select the checkbox.
    8. In the Certificate section, select an IdP Signing Certificate that will sign the SAML request. By default, EAA generates a self-signed certificate. Alternatively, you can upload your own certificate.
    9. Click Save and go to Authentication.
    10. Select an Akamai IdP and associate a directory source such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).
    11. Click Save and go to WS-Federation settings.
    12. The STS provider settings fields are pre-populated and non-editable.
      Field Value
      Sign-in URL The sign-in URL of STS provider using a WS-Federation passive protocol
      Sign-out URL The sign-out URL of STS provider configured in a WS-Federation supported application.
      Signing certificate Identity provider signing certificate to trust STS token.
      • If you use a self-signed certificate, download the certificate and the root certificate that was used to generate the self-signed certificate. Copy them to two notepad files and upload them to the sharepoint server. In this example, WS-FED-Cert.crt is the self-signed certificate and SohaCA.crt is the root certificate. If you use a certificate from a well-known certificate authority (CA), then you need to download only this certificate, and upload it to sharepoint server.
      • Copy the sign-in URL of the STS provider settings.
    13. Click Save and exit. Do not deploy the application at this time.
  2. Configure the sharepoint administration server to allow EAA to act as an STS provider and add users of EAA IdP to access Sharepoint application with specific permissions.
    1. Upload the certificates into the Sharepoint server. Assign the certificate to variables using Powershell:
    2. Add this to the TrustedRoot of Sharepoint:
    3. Add the claim types for the Sharepoint server. Sharepoint will use these claims to trust EAA as an STS provider when it sends SAML 1.1 tokens. For example, to add userprincipalname (UPN), role, and email address as claim types in Sharepoint, create these variables and assign these values:

      You can add more or fewer claims, as required by your organization.

    4. Create a new variable called $realm and set it to the value in Step 1g as the EAA configuration for STS provider section. In this example, $realm = “http://sharepoint.secperimeter.com/_trust”
    5. Create a new variable for the signin URL and assign the value from step 1l.
    6. Create a trusted provider in Sharepoint using the previous variables. Create a new variable SPTrustedIdentityTokenIssuer using the variables you created and configure it as shown here: $iwaap = New-SPTrustedIdentityProviderTokenIssuer -Name "Alpha_UITest-IWA-IDP" -Description "EAA Trusted Identity Provider Alpha-UITest-IWA-IDP" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap -SignInURL $signInURL -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
    7. The EAA STS provider will appear as the Trusted Identity Provider in the Sharepoint server site. Select it as a Trusted Identity Provider.
    8. Let users from EAA STS provider and identity provider perform actions like editing and viewing on the Sharepoint site.
    9. Click the Security tab in Sharepoint server and select Web Application User Policy:
    10. Configure the permissions for a specific user, or all the users of the organization. For example, all users from the identity provider are allowed read access to the Sharepoint application:
  3. Go back to the EAA application you started in Step 1 and complete these settings:
    1. Go to WS-FEDERATION SETTINGS > Relying Party settings section, to configure the service provider realm.
    2. Copy the Realm from Step 2d and enter in the Realm field.
    3. Copy the Application URL from Step 1g and enter in the Application URL field .
    4. Select the NameID format and NameID attribute values that apply.
    5. Enter a value for Token Life in seconds.
      Field Value
      Realm The relying party identifier to be configured in a WS-Federation supported application. Same as the $realm variable in Sharepoint.
      Application URL A URL on the application which initiates the WS-Federation login request to the STS provider.
      NameID format The subject name identifier in SAML 1.1 sent in the STS token.
      NameID Attribute Select user attribute to be sent as NameID value. The selected value should comply with the specified NameID format. This is the directory value sent in the STS token.
      Signout URL Logout endpoint of a WS-Federation supported application called by EAA for EAA IdP-initiated logout. The URL to trigger logout from the application.
      Token life The duration of a valid STS token, in seconds.
    6. Go to the Claim statements section and configure all of the claim types that you specified in Step 2c. This is needed to pass user-related attributes from user directories in the IdP realm to the SP realm when the same directory store is not present, and is used by the application. For example, role, email address, and userprincipalname as shown:
    7. Click Save and go to Deployment tab and Deploy the application.
  4. Verify the EAA IdP setup.
    1. Access the Identity Portal URL and log in with your AD credentials. This is the application URL in Step 1g.
    2. Click the application card for the Sharepoint application.
    3. You will be redirected to the Sharepoint application portal.
    4. Sign in to access the Sharepoint application.