this link - Corp STS Certificates
Configuring AD FS trust between SharePoint 2010 application and AD FSv2.
NOTE: This Doc is based on AD FSv2 Pre-RTM bits.
Assumptions: SharePoint 2010 app owner has deployed and configured his/her app to be claims aware.
For end2end instructions on how to deploy and configure a claims aware app, visit HERE
Doc Objective: Provides step by step guidance on how to configure a federation trust between a
SharePoint 2010 app and MSI T’s ADFS v2 server Corp.STS (acting as Claims Provider). Note, these steps are mostly Powershell cmdlets. Therefore you will require minimal expertise running powershell cmdlets
Requirement: Powershell 1.0
STEPS on SharePoint 2010 app server (Resource):
Below steps are for current cert and valid until August, 16, 2014 6:15 pm (PST)
From Powershell: o Create an x509Certificate2 object using MSIT Corp STS certificate (corp_sts_2014.cer) located in the zip folder HERE . Copy the cert and save to a folder of your choice.
Create The Root Cert:
Option-1:
$rootCert = Get-PfxCertificate "<path to certificate>"
New-SPTrustedRootAuthority "NewRootAuthority" -Certificate
$rootCert
Option-2 (Extract root certs and follow below sequence):
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\GT
E CyberTrust Global Root.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "Baltimore CyberTrust
Root" -Certificate $cert
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("C:\tmp\Sha rePoint-CorpSTS\Microsoft Internet Authority.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "Microsoft Internet
Authority" -Certificate $cert
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\Mi corosft Secure Server Authority.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "MSIT Machine Auth CA
2" -Certificate $cert
Then create the regular cert
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
Example,
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\corp_s ts_2012.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "corp_sts_2014" -Certificate
$cert
Below steps are for new cert
From Powershell: o Create an x509Certificate2 object using MSIT Corp STS certificate (corp_sts_2016.cer) located in the zip folder HERE . Copy the cert and save to a folder of your choice.
Create The Root Cert:
Option-1:
$rootCert = Get-PfxCertificate "<path to certificate>"
New-SPTrustedRootAuthority "NewRootAuthority" -Certificate
$rootCert
Option-2 (Extract root certs and follow below sequence):
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\
Baltimore CyberTrust Root.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "Baltimore CyberTrust
Root" -Certificate $cert
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\
Microsoft IT SSL SHA2.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "Microsoft IT SSL SHA2"
-Certificate $cert
Then create the regular cert
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
Example,
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("<path>\corp_s ts_2016.cer")
$rootAuth = New-SPTrustedRootAuthority -Name "corp_sts_2016" -Certificate
$cert o Create a claim type mapping to use in your trusted login provider
$map1 = New-SPClaimTypeMapping -IncomingClaimType
" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress " -
IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming o Create a trusted login provider
Create a value for the realm parameter
$realm = “ https://www.yoursite.com
”. Example,
“https://www.thesharepointadministrator.com”
Create a value for the signinurl parameter
$signinurl = " https://corp.sts.microsoft.com/adfs/ls/ "
Create the trusted login provider
Use the same IdentifierClaim used in one of the claim mapping
($map1.InputClaimType)
$ap = New-SPTrustedIdentityTokenIssuer -Name "MS ADFS" -Description
"Microsoft Identity Provider" -Realm $realm -ImportTrustCertificate $cert -
ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim
$map1.InputClaimType o SharePoint Web application’s root site
The endpoint URL to be configured in Corp STS should have the Url for the
SharePoint web application’s root site, and include the “ _trust/ ” subdirectory.
Example, “https://www.thesharepointadministrator.com/_trust”
STEPS on AD FS v2 Server Corp.STS (Claims Provider):
TS on to AD FS V2 server (Corp STS)
Open up the Microsoft Geneva Server Management shortcut on the desktop
In the left pane: o Expand Policy o Select Relying Parties
In the right pane o Add Relying Party...
A wizard will appear o Select Start o Choose "Enter relying party configuration manually" Click Next o Give a Name. Click Next o Leave "Geneva" Server Profile selected. Click Next o You will not use a encryption cert. Click Next o Select Enable support for Web-browser-based identity federation o Give the Web App url and append /_trust/
https://www.thesharepointadministrator.com/_trust/
Click Next o Add the following entry as a identifier (realm)
https://www.thesharepointadministrator.com/
Click Add
Click next o Click Next on the summary page o Click Close
A new dialog will appear
Rules Editor: we will map claims from LDAP to send to SharePoint o In the Left PaneNew Rule
New Rule
Predefined Rules
Create Claims from LDAP Attribute Store o Right Pane
Drop down Attribute Store:
Select Enterprise Active Directory User Account Store
Under LDAP Attribute select sAMAccountName
Under Out Going Claim Type select E-Mail Address o Left Pane
Click the Save Icon o Close the dialog
Log Off the machine
Reference Eric Kraus's blog for end 2 end solution: http://blogs.msdn.com/ekraus/archive/2010/03/22/sharepoint-2010-claims-based-auth-with-adfsv2.aspx
Reference Steve Peschka’s blog for end 2 end solution: http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2end-to-end.aspx
