一、部署ADFS
默认ADFS和SharePoint的单点集成参考如下链接:
https://www.cnblogs.com/hudun/p/5912486.html
可能出现的问题和解决方法:
问题一:
## 用于 AD FS 部署的 Windows PowerShell 脚本#Import-Module ADFS# Get the credential used for performaing installation/configuration of ADFS$installationCredential = Get-Credential -Message "输入用来执行配置的帐户的凭据。"# Get the credential used for the federation service account$serviceAccountCredential = Get-Credential -Message "输入联合身份验证服务帐户的凭据。"Install-AdfsFarm `-CertificateThumbprint:"DE091E3C9099F5E8ABE8852BB78FB623EA3D058C" `-Credential:$installationCredential `-FederationServiceDisplayName:"XXX" `-FederationServiceName:"adfs.XXX.com" `-ServiceAccountCredential:$serviceAccountCredential
问题二:
解决方案:Set-AdfsProperties -EnableIdpInitiatedSignonpage $True
二、ADFS和SharePoint的配置具体执行命令如下:
----SharePoint的服务器执行PowerShell 命令---------$cert = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2 ("C:ceradfs.cer")New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming(定义UPN声明类型)$emailClaimMap= New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"-IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming(定义Email声明类型)$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -LocalClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" (组声明)$realm = "urn:sharepoint:ql" (设置标识符,sharepoint提供给ADFS的唯一身份认证)$signInURL = "https://adfs.xxx.com/adfs/ls" (adfs登录地址)New-SPTrustedIdentityTokenIssuer -Name "ADFS Provider for SharePoint" -description "SAML secured SharePoint" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap -SignInURL $signInURL -IdentifierClaim $upnClaimMap.InputClaimType---新增组信息----$trust = Get-SPTrustedIdentityTokenIssuer "ADFS Provider for SharePoint"$trust.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")$trust.Update() $GroupClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType $GroupClaimType -IncomingClaimTypeDisplayName "Role" -LocalClaimType $GroupClaimType-------查看Token信息------------Get-SPTrustedIdentityTokenIssuer "ADFS Provider for SharePoint"---安装wsp--Add-SPSolution -LiteralPath "C:cerLDAPCP.wsp"Install-SPSolution -Identity "LDAPCP.wsp" -GACDeployment -forceUpdate-SPSolution -GACDeployment -Identity "LDAPCP.wsp" -LiteralPath "C:cerLDAPCP.wsp" -forceUpdate-SPSolution -Identity "LDAPCP.wsp" -LiteralPath "C:cerLDAPCP.wsp" -GACDeployment -force-------------l 如果需要修改证书信任,则先删除--------------- Remove-SPTrustedRootAuthority -Identity "Token Signing Cert"-------------l 如果需要修改tokenissuer:则先删除----------- Remove-SPTrustedIdentityTokenIssuer -Identity "ADFS Provider for SharePoint"-------将LDAPCP与ADFS绑定-----------$trust = Get-SPTrustedIdentityTokenIssuer "ADFS Provider for SharePoint"$trust.ClaimProviderName = "LDAPCP"$trust.Update()-------卸载LDAPCP与ADFS绑定-----------$trust = Get-SPTrustedIdentityTokenIssuer "ADFS Provider for SharePoint"$trust.GetType().GetField("m_ClaimProviderName", "NonPublic, Instance").SetValue($trust, $null)$trust.Update()Disable-SPFeature -identity "LDAPCP"Uninstall-SPSolution -Identity "LDAPCP.wsp"# Wait for the timer job to complete before running Remove-SPSolutionRemove-SPSolution -Identity "LDAPCP.wsp"---------手动更新--------------$trust.GetType().GetField("m_ClaimProviderName", "NonPublic, Instance").SetValue($trust, "LDAPCP")
三、在ADFS中配置支持角色授权
1、在ADFS claim rule里添加下面Role
2、更新SharePoint 中的 Trusted Identity Token Issuer.
$trust = Get-SPTrustedIdentityTokenIssuer "<ADFS Claims Name>"$trust.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")$trust.Update() $GroupClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType $GroupClaimType -IncomingClaimTypeDisplayName "Role" -LocalClaimType $GroupClaimType更新结果如下:
3、按照LDAPCP 作为claims provider来查询AD server,使分配权限给AD group 时使用role claim.
下载并将LDAPPCP安装到SharePoint farm中。请 参考How to install LDAPCP在SharePoint 管理中心->系统设置->管理服务器场解决方案中,配置ldapcp.wsp在SharePoint 管理中心->安全->LDAPCP configuration-> claim types configuration, 确保下面红框中的记录正确,并移除掉 黄色标记中 原有的 “{fqdn}” prefix.4、最后,在我们给ADFS group分配权限时,会有下面截图中的AD Group出现,并且类型为 “domain group”。
5、通过命令行授权
$path = "https://spsite.com"$Group = "c:0-.t|adfs30|adgroup"$perm = "Full Control"$web = get-spweb $path$account = $web.EnsureUser($Group)$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)$role = $web.RoleDefinitions[$perm]$assignment.RoleDefinitionBindings.Add($role)$web.RoleAssignments.Add($assignment)$web.dispose()ADFS 组的前缀根据书写规则就是 c:0-.t| <Trusted Identity Token Issuer Name>|<ADGroupName>。