SharePoint SAML Integration Using PureAUTH

Introduction

This document provides a comprehensive guide to configuring PureAUTH Passwordless Authentication with SharePoint using WS-Federation.

Add SharePoint to your PureAUTH Account

• On the PureAUTH Portal click on “Applications option.
• Click on “Add New Application” and select the “Sharepoint WS-Fed”. 
• In the application form, configure the properties as given below:
  • Application Name:  YOUR-APPLICATION-NAME
  • Dataset for email: Primary ( Corporate Email )
  • WS-Fed Response Endpoint (ACS URL): https://<FQDN>/_trust/
  • Realm (Entity ID): urn:pureauth:<realm-name>
• Click on “Add”.

Note: <FQDN> needs to be replaced by the domain name of your SharePoint Web Application. For Example: sp2019.demolabs.live

Note: <realm-name> can be according to the user’s choice. For example: urn:pureauth:portal

You should see your newly added SharePoint Application on the Application’s page. Please keep this page open as these details will be needed for the next steps.

The Certificate and links will be used further in the setup.

Configure PureAUTH as a Trusted Identity Provider for SharePoint

1. Copy and save the Certificate from PureAUTH Application Page in a .cert File. 

2. Open the SharePoint Management Shell on the SharePoint Server and run the following commands to add PureAUTH Certificate as Trusted Root Authority:
   1. $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“<PATH-OF-YOUR-Certificate>”)

2. New-SPTrustedRootAuthority -Name “PureAUTH Certificate” -Certificate $cert

3. Add the required SharePoint Claim Type Mapping.
4. $email = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

2. $role = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
3. $upn = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

4. Add PureAUTH as a SharePoint Trusted Identity Provider.

1. New-SPTrustedIdentityTokenIssuer -Name “PureAUTH-SharePoint” -Description “Passwordless Authentication by PureAUTH” -Realm “urn:pureauth:<realm-name>” -SignInUrl “<WS-Fed login Endpoint>” -ImportTrustCertificate $cert -ClaimsMappings $upn,$email,$role  -IdentifierClaim $upn.InputClaimType

Note: realm-name should be the same as configured above and WS-Fed login Endpoint can be found on PureAUTH Application Page.

Once the command is executed, go to the Central Administration for SharePoint and select the following option: Central Administration -> Security -> Specify Authentication Providers.

Enable PureAUTH as a Trusted Identity Provider for SharePoint

Select the Web Application which you want to integrate with PureAUTH Identity provider.

Now click on the “Default” Zone and under the Claims Authentication Types Select Trusted Identity Provider and Select the PureAUTH-SharePoint.

Now that we have added PureAUTH as a Trusted identity provider in SharePoint let’s add a test account for demonstration. In order to add the test account go to the web application which is integrated with PureAUTH and choose the windows authentication for granting the test account with required privileges. 

Provide the Credentials for SharePoint Administrator. (In this case, we have spadmin as a sharepoint admin). Once provided credentials, go to settings gear and select Site permissions option.

Under the Site Permissions go to Advance permissions settings.

Once clicked the Advanced permissions settings we can go to the Grant Permissions option and Share the Web Application with the test account. Here, we have demouser as our test account. We can enter the email address of the test account to grant permissions “demouser@demolabs.live” and select the PureAUTH-SharePoint (IDP Name) UPN.

Test the PureAUTH PasswordLess Authentication on SharePoint.

Testing the PureAUTH PasswordLess Authentication

Note: To test the PureAUTH Authentication mechanism we have already onboarded the demouser@demolabs.live on the PureAUTH Platform. 

1. Go to the application page which is integrated with the PureAUTH Platform and select the PureAUTH-Sharepoint (IDP name) as the sign-in option.

2. After selecting PureAUTH-SharePoint Option we will be redirected to the PureAUTH Login page.

3. Based on the device on which the VR5 app is installed, you can do the following:
   1. VR5 application on android and IOS : Tap Swift Login > Select “Scan QR” and scan the QR code
   2. VR5 Neo on Desktop: 
      1. In the browser, click on the “Click Here if this device has VR5 App” button below the QR Code.
      2. On VR5 Neo app, Tap Swift Login > Click on “Paste” > Authenticate 

4. Now the User is authenticated using PureAUTH Mechanism in SharePoint without using Passwords.