Configure EAA as the STS provider to access a SaaS application
Configure EAA as the STS provider to access a SaaS application that supports WS federation protocol.
Configure Enterprise Application Access (EAA) as the identity provider (IdP), acting as the secure token service (STS) provider for an application that supports WS- Federation protocol.
Add an application to EAA.
- Log in to the EAA Management Portal.
- From the top menu bar, click .
- Select a SaaS application.
- Enter an application name and an optional description.
- In the Protocol menu select WS-Federation.
- Click Create App and Configure. The application General settings tab opens.
General tab settings, under Application
- In the Application URL field, enter the external URL of the application, like the Sharepoint site. The application URL is the path that users navigate to in their browser to access the application. For example:
- To Hide Application from Login Portal, select the checkbox.
In the Certificate
section, select an IdP Signing Certificate that
will sign the SAML request. By default, EAA generates a self-signed
certificate. Alternatively, you can upload your own certificate.
- Click Save and go to Authentication.
- Select an Akamai IdP and associate a directory source such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).
- Click Save and go to WS-Federation settings.
provider settings fields are pre-populated and
Field Value Sign-in URL The sign-in URL of STS provider using a WS-Federation passive protocol Sign-out URL The sign-out URL of STS provider configured in a WS-Federation supported application. Signing certificate Identity provider signing certificate to trust STS token.
- If you use a self-signed certificate, download the certificate and the root certificate that was used to generate the self-signed certificate. Copy them to two notepad files and upload them to the sharepoint server. In this example, WS-FED-Cert.crt is the self-signed certificate and SohaCA.crt is the root certificate. If you use a certificate from a well-known certificate authority (CA), then you need to download only this certificate, and upload it to sharepoint server.
- Copy the sign-in URL of the STS provider settings.
- Click Save and exit. Do not deploy the application at this time.
Configure the sharepoint
administration server to allow EAA to act as an STS provider and add users of
EAA IdP to access Sharepoint application with specific permissions.
Upload the certificates
into the Sharepoint server. Assign the certificate to variables using
Add this to the
TrustedRoot of Sharepoint:
Add the claim types for
the Sharepoint server. Sharepoint will use these claims to trust EAA as
an STS provider when it sends SAML 1.1 tokens. For example, to add
userprincipalname (UPN), role, and email address as claim types in
Sharepoint, create these variables and assign these values:
You can add more or fewer claims, as required by your organization.
- Create a new variable called $realm and set it to the value in Step 1g as the EAA configuration for STS provider section. In this example, $realm = “http://sharepoint.secperimeter.com/_trust”
Create a new variable
for the signin URL and assign the value from step 1l.
Create a trusted
provider in Sharepoint using the previous variables. Create a new
variable SPTrustedIdentityTokenIssuer using the variables you
created and configure it as shown here: $iwaap =
"Alpha_UITest-IWA-IDP" -Description "EAA Trusted Identity Provider
Alpha-UITest-IWA-IDP" -realm $realm -ImportTrustCertificate $cert
-ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap -SignInURL
The EAA STS provider
will appear as the Trusted Identity Provider in the Sharepoint server
site. Select it as a Trusted Identity
- Let users from EAA STS provider and identity provider perform actions like editing and viewing on the Sharepoint site.
Click the Security
tab in Sharepoint server and select Web Application User
permissions for a specific user, or all the users of the organization.
For example, all users from the identity provider are allowed read
access to the Sharepoint application:
- Upload the certificates into the Sharepoint server. Assign the certificate to variables using Powershell:
Go back to the EAA application
you started in Step 1 and complete these settings:
- Go to section, to configure the service provider realm.
- Copy the Realm from Step 2d and enter in the Realm field.
- Copy the Application URL from Step 1g and enter in the Application URL field .
- Select the NameID format and NameID attribute values that apply.
Enter a value for
Life in seconds.
Field Value Realm The relying party identifier to be configured in a WS-Federation supported application. Same as the $realm variable in Sharepoint. Application URL A URL on the application which initiates the WS-Federation login request to the STS provider. NameID format The subject name identifier in SAML 1.1 sent in the STS token. NameID Attribute Select user attribute to be sent as NameID value. The selected value should comply with the specified NameID format. This is the directory value sent in the STS token. Signout URL Logout endpoint of a WS-Federation supported application called by EAA for EAA IdP-initiated logout. The URL to trigger logout from the application. Token life The duration of a valid STS token, in seconds.
Go to the
Claim statements section and configure all of
the claim types that you specified in Step 2c. This is needed to pass
user-related attributes from user directories in the IdP realm to the SP
realm when the same directory store is not present, and is used by the
application. For example, role, email address, and userprincipalname as
- Click Save and go to Deployment tab and Deploy the application.
Verify the EAA IdP setup.
- Access the Identity Portal URL and log in with your AD credentials. This is the application URL in Step 1g.
- Click the application card for the Sharepoint application.
- You will be redirected to the Sharepoint application portal.
- Sign in to access the Sharepoint application.