Configure EAA as the STS provider to access a
SaaS application
Configure EAA as the STS provider to access a SaaS application that supports
WS federation protocol.
Configure Enterprise Application
Access (EAA) as the identity provider (IdP), acting as the secure token service (STS)
provider for an application that supports WS- Federation protocol.
From the top menu bar,
click Applications > Add
Application.
Select a SaaS
application.
Enter an application name and an optional description.
In the
Protocol menu select WS-Federation.
Click Create App and Configure. The application
General settings tab opens.
In the
General tab settings, under Application
identity section:
In the Application
URL field, enter the external URL of the
application, like the Sharepoint site. The application URL is
the path that users navigate to in their browser to access the
application. For example:
To Hide
Application from Login Portal, select the
checkbox.
In the Certificate
section, select an IdP Signing Certificate that
will sign the SAML request. By default, EAA generates a self-signed
certificate. Alternatively, you can upload your own certificate.
Click Save and go to
Authentication.
Select an Akamai IdP and
associate a directory source such as Active Directory (AD) or
Lightweight Directory Access Protocol (LDAP).
Click Save
and go to WS-Federation settings.
The STS
provider settings fields are pre-populated and
non-editable.
Field
Value
Sign-in URL
The sign-in URL of STS provider using a
WS-Federation passive protocol
Sign-out URL
The sign-out URL of STS provider configured
in a WS-Federation supported application.
Signing certificate
Identity provider signing certificate to
trust STS token.
If you use a
self-signed certificate, download the certificate and the root
certificate that was used to generate the self-signed
certificate. Copy them to two notepad files and upload them to
the sharepoint server. In this example, WS-FED-Cert.crt is the self-signed certificate
and
SohaCA.crt is the root certificate. If you use a
certificate from a well-known certificate authority (CA), then
you need to download only this certificate, and upload it to
sharepoint server.
Copy the sign-in
URL of the STS provider settings.
Click Save
and exit. Do not deploy the application at this time.
Configure the sharepoint
administration server to allow EAA to act as an STS provider and add users of
EAA IdP to access Sharepoint application with specific permissions.
Upload the certificates
into the Sharepoint server. Assign the certificate to variables using
Powershell:
Add this to the
TrustedRoot of Sharepoint:
Add the claim types for
the Sharepoint server. Sharepoint will use these claims to trust EAA as
an STS provider when it sends SAML 1.1 tokens. For example, to add
userprincipalname (UPN), role, and email address as claim types in
Sharepoint, create these variables and assign these values:
You can add more or fewer claims, as required by your
organization.
Create a new variable
called $realm and set it to the value in Step 1g as the EAA
configuration for STS provider section. In this example,
$realm =
“http://sharepoint.secperimeter.com/_trust”
Create a new variable
for the signin URL and assign the value from step 1l.
Create a trusted
provider in Sharepoint using the previous variables. Create a new
variable SPTrustedIdentityTokenIssuer using the variables you
created and configure it as shown here: $iwaap =
New-SPTrustedIdentityProviderTokenIssuer -Name
"Alpha_UITest-IWA-IDP" -Description "EAA Trusted Identity Provider
Alpha-UITest-IWA-IDP" -realm $realm -ImportTrustCertificate $cert
-ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap -SignInURL
$signInURL -IdentifierClaim
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
The EAA STS provider
will appear as the Trusted Identity Provider in the Sharepoint server
site. Select it as a Trusted Identity
Provider.
Let users from EAA STS
provider and identity provider perform actions like editing and viewing
on the Sharepoint site.
Click the Security
tab in Sharepoint server and select Web Application User
Policy:
Configure the
permissions for a specific user, or all the users of the organization.
For example, all users from the identity provider are allowed read
access to the Sharepoint application:
Go back to the EAA application
you started in Step 1 and complete these settings:
Go to WS-FEDERATION SETTINGS > Relying Party settings section, to configure the service provider realm.
Copy the Realm
from Step 2d and enter in the Realm field.
Copy the Application URL from Step 1g and enter in the
Application URL field .
Select the NameID
format and NameID
attribute values that apply.
Enter a value for
Token
Life in seconds.
Field
Value
Realm
The relying party identifier to be
configured in a WS-Federation supported application. Same as
the $realm variable in Sharepoint.
Application URL
A URL on the application which initiates
the WS-Federation login request to the STS
provider.
NameID format
The subject name identifier in SAML 1.1
sent in the STS token.
NameID Attribute
Select user attribute to be sent as NameID
value. The selected value should comply with the specified
NameID format. This is the directory value sent in the STS
token.
Signout URL
Logout endpoint of a WS-Federation
supported application called by EAA for EAA IdP-initiated
logout. The URL to trigger logout from the
application.
Token life
The duration of a valid STS token, in
seconds.
Go to the
Claim statements section and configure all of
the claim types that you specified in Step 2c. This is needed to pass
user-related attributes from user directories in the IdP realm to the SP
realm when the same directory store is not present, and is used by the
application. For example, role, email address, and userprincipalname as
shown:
Click Save and go to
Deployment tab and Deploy the
application.
Verify the EAA IdP setup.
Access the Identity Portal URL and log in with your AD credentials.
This is the application URL in Step 1g.
Click the application
card for the Sharepoint application.
You will be redirected to the Sharepoint application portal.