This article describes how to integrate Cloud Access Service (CAS) with Microsoft SharePoint 2016 using WS-Fed SSO Agent.

Configure RSA Cloud Access Service (CAS)

Perform these steps to configure CAS using WS-Fed SSO Agent.

Procedure

1. Log in to the RSA Cloud Administration Console and navigate to Applications > Application Catalog, search for Microsoft SharePoint WS-Fed and click +Add to add the connector.

2. In the Basic Information tab, enter a name for the application in the Name field and click Next Step. 
3. Go to the SAML Identity Provider section on the Connection Profile tab and copy the value from the Identity Provider URL field to paste it in the Connection URL field.

4. A private/public key pair must be imported to sign and validate SAML assertions. Follow the following steps to generate a certificate bundle: 

1. Go to the SAML Response Signature section, and click Generate Certificate Bundle.
2. In the Common Name (CN) field, enter the hostname of the SharePoint service provider’s server that will be sending authentication requests.
3. Click Generate and Download, save the certificate bundle ZIP file to a secure location and extract its contents. The ZIP file will contain private key, public key, public certificate and certificate signing request.

5. Click Choose File on the left of Generate Certificate Bundle, locate and select a private key for signing SAML assertions and click Open.
6. Click Choose File underneath Generate Certificate Bundle, locate and select your public certificate and click Open. Copy this signing certificate to the SharePoint server to be used in its configuration.
7. Select Include Certificate in Outgoing Assertion checkbox.

8. Enter your relying party URL in the Relying Party URL field. The URL format is: https://<Sharepoint domain name>:<port number>/_trust.

9.  Enter the relying party ID in the Relying Party ID field. This same value should be used as the  SharePoint realm name when configuring SharePoint. Use the format urn:<string 1>:<string 2>. You may choose any values for <string 1> and <string 2>.
10. Decide which claim type(s) you will use to identify an authenticated user. This guide  uses email as an Identity claim .Please refer to Microsoft documentation to get the latest list of supported claims . To configure the claim, perform the following steps:
    1. Under Statement Attributes section, Select Identity Source from the Attribute Source drop-down list.
    2. In the Attribute Name field, enter the attribute name that corresponds to your claim. The attribute name in this example is emailaddress.Note down the attribute name used here as it will be used in SharePoint configurations.
    3. Select the name of your user identity source from the Identity Source drop-down list.
    4. Select mail from the Property drop-down list.
    5. Attribute Name given here should match the IncomingClaimTypeDisplayName given while configuring Microsoft SharePoint.

11. Click Next Step.
12. On the User Access page, configure the Access Policy settings and click Next Step.

13. On the Portal Display page, click Next Step. Fulfillment service is disabled for our testing.
14. Click Save and Finish.
15. Click Publish Changes. 

Notes

• It is necessary to configure Microsoft SharePoint web application with SSL. Consult Microsoft documentation for instructions to configure SSL. If SharePoint web application is configured with default SSL port (port 443), then it is not necessary to specify port number in the Relying Party URL.

Configure Microsoft SharePoint 2016

Procedure

Follow the steps in this section to configure Microsoft SharePoint as an SSO Agent WS-Fed service provider to CAS. 

This section is divided into the following subsections:

1. Create a Trusted Root Authority
2. Create a Trusted Identity Token Issuer for RSA 
3. Configure a SharePoint Web Application using the created token issuer
4. Configure additional SharePoint web applications for RSA Integration(optional)

Create a Trusted Root Authority

1. Log in to your SharePoint server host and open the SharePoint Management Shell.
2. Create a root certificate object using the signing certificate downloaded from RSA and copied to SharePoint server. Replace c:\certs\cert.pem with the path and name of your signing certificate

$root_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\certs\cert.pem") 

3. Create a trusted root authority for your token issuer and set the root certificate. Replace SECURID_ACCESS with the name you want to give to your trusted root authority.

New-SPTrustedRootAuthority -Name "SECURID_ACCESS" -Certificate $root_cert

​Create a Trusted Identity Token Issuer for RSA 

1. In the SharePoint Management Shell ,enter the command below to create (a) claim type(s) mapping (s). Replace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with your claim type URL (s). IncomingClaimTypeDisplayName should be same as the Attribute name used while configuring RSA.

$email_claim = New-SPClaimTypeMapping –IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "emailaddress" –SameAsIncoming

2. Enter the command below to create a variable to hold the name of your realm. This value should be the same as configured in the RSA configuration section.

$realm = " urn:sharepoint2016:defaultsite "

3. Execute the command below to create Identity Token Issuer after replacing the values inside angled brackets. We have used name of the token issuer as “RSA_SP_TOKEN_ISSUER”(not shown in the below screenshot)

 $issuer = New-SPTrustedIdentityTokenIssuer -Name "<NAME-OF-YOUR-TOKEN-ISSUER>" –Description "<ANY VALID DESCRIPTION >" -realm $realm -ImportTrustCertificate $root_cert -ClaimsMappings $email_claim -SignInUrl "<IDENTITY PROVIDER URL COPIED FROM RSA>+&" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Note: The New-SPTrustedIdentityTokenIssuer command’s SignInUrl parameter must be appended with an “& “ symbol. If Identity provider  URL is https://portal.sso.pe.rsa.net/IdPServlet?idp_id=abc, set the SignInUrl to https://portal.sso.pe.rsa.net/IdPServlet?idp_id=abc& in the command above.

Follow the steps in the next section to enable RSA on the SharePoint web application.

Configure a SharePoint Web Application using the created token issuer

1. Open SharePoint Central Administration and click the Manage web applications link under Application Management

2. Highlight the web application you want to configure and click Authentication Providers. 

3. Click the Default link on the Authentication Providers section.

4. Confirm that the Integrated windows Integration checkbox is checked and that NTLM is selected in the dropdown list.

5. Check the Trusted Identity Provider checkbox.
6. Check the checkbox for the token issuer name you chose above.

7. Click Save.
8. Log in to the newly created SharePoint site as an administrator.
9. Click the gear icon on the top  and select Site Settings. 

10. Click the Site permissions link in the Users and Permissions section of the Site Settings page.

11. Click Grant Permissions.

12. Enter your token issuer name on the text box .
13. Select the Token issuer name that should be auto populated and click Share.

​Configure additional SharePoint web applications for RSA Integration

For configuring additional SharePoint web applications for RSA protection, add additional "Microsoft SharePoint WS-Fed" connectors for each web application and create corresponding "Trusted Identity Token Issuer" for RSA in the SharePoint using the same procedure mentioned in CAS and Microsoft SharePoint configuration sections. 

Configuration is complete.

Notes

• While creating an additional "Trusted Identity Token Issuer", SharePoint does not allow us to reuse the same certificate that was used to create the first "Trusted Identity Token Issuer". Regenerate public certificate again using the “Generate Certificate Bundle" option and use it to create a new "Trusted Identity Token Issuer".
• Please refer to Microsoft documentation to check on the latest list of claims supported by Microsoft SharePoint.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

• All the links to the documentation are subject to change .Please refer to the latest documentation.

The configuration is complete.