SharePoint 2013 Single Sign-On Authentication via SAML with OneLogin

Introduction

SharePoint supports the SAML Profile for single sign-on out of the box. This chapter provides guidelines to configure a third party Identity Provider, OneLogin (http://www.onelogin.com).

Configuring the Trusted Identity Provider for SharePoint

To configure OneLogin to sign in users into SharePoint using SAML, ensure the SharePoint Web Application is SSL Enabled, and then proceed to the following steps.

1. In OneLogin, navigate to Apps > Find apps and search for SharePoint 2013 (EMAIL). Click Add.
2. In the Add SharePoint 2013 (EMAIL) screen selected for the app to be used by the Organization. Press Continue.

https://lh5.googleusercontent.com/w4HYb2uh_aTqraw-1oQUfMSMQJSRZvaFQ-OozLUrw5IGDsMu5KWru4B1ZAe7plQcnOXJvS9mL6kEL37sjZZqtocXTnOR0H3hpoGbBaaWiL1ru0iUgt6Rc2Ujc2n6YFS-2JhksTU

3. Select "Configuration" tab

• • Set "FQDN" (SharePoint Web application URL for which the OneLogin IP need to be added)
  • Set "Realm" (The realm can be any unique value. This will be used later in the SharePoint configuration)
  • Set "Site" (Site collection /site  relative URL ex. /sites/sitename/)

https://lh5.googleusercontent.com/hggwv8SrvxOdHt2EES9W6tMHIKG--1B56r0hti2ovMsUW4lKH0NuBipo1cPz-coenOd4kontqbWLiIL4L8NnmxPr8SdHJSmVj30XB80i7eYEmvex7k6Gjc0p6DSgpTqetHu4bQw

https://lh3.googleusercontent.com/5kwUlCCUvOtQXQyB9kDb5jbevMJ7s-z2meMdK_msfOMOk3LLCAsxN5yo3cd2AF2D6jhVA_EGU22hCDAzBNiEjmhNpBdGrIywiSG5On3ZfN5ajCopuH9Q-lEVqGkQXCXNdZOqyEw

      4. Create new users if required from Users > All Users

https://lh3.googleusercontent.com/8bXcXmMrXZ9SYSdaGX53Z66q0zSKcK1SNZ74tMCH5KXmFsr18StjsscfkuexevFTzhm8zPZjgokPtpCIeRyak50G_70_iSoMv1bPlTG0GyWFnfwGgRjakYk1IZwC-Y_vU7EgoG8

5. From menu Users > Roles, make sure that the SharePoint application is added to the Default Role.

https://lh6.googleusercontent.com/4tzjl-WbUcE6RLlLwta2A-KX2HTsZEQAQ_uYfrZ1FIqrmnG2fBZ9aC4G541AvwCKgcsqCGHjZa3S8ydlvM6UOk7o6vKP1KKRuqW8fvUe6md44DVjk9X54ofhzPEVrr_SnZX3EIA

6. Grant access to the SharePoint App in OneLogin.

https://lh4.googleusercontent.com/kpabVMSFUdgdBCOkh6H9qGJoE_b8DYZzcJ6ZoSEV5G2ycdkq6CmvZL5GOD0zdHupUU_rzq7GWHElVV7zFVZTGOSZn7ws7Wz7T8xL5G3OjGLA9oDD-8mB6eQNRM3Z7QrCcP6oPkk

Download OneLogin Certificate for SharePoint

• Login to OneLogin as an administrator
• Download the OneLogin Certificate (DER)
  • https://app.onelogin.com/saml/download_der
• Open the OneLogin Certificate
• Select "Details" tab
• Select "Copy to file"
• Select "DER encoded binary X.509 (.CER)"
• Save as "c:\onelogin.cer"

https://lh3.googleusercontent.com/rtjgB4ZsGKuYJhJ5RXgEnkaoJkqnTbopedkqzfjALhRg3cyHtthhScJnTdao6jplcfN7J2iOS3MBnPDiIKTaQFbwl8_2L8_GFCgPj7HG5bIJb1-gWU30BA9dMnWUpbMqtXcALnw

Define the certificate used to validate the signed WSFed assertion

Open "SharePoint Management Shell" on SharePoint server and execute the lines codes.

1. Load OneLogin Certificate into an Object:
   • $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\onelogin.cer")
2. Install OneLogin Certificate as a Trusted Root Authority:
   • New-SPTrustedRootAuthority -Name "OneLogin Certificate" -Certificate $cert
3. Set Email as the common identifier between OneLogin and SharePoint:
   • $email=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
4. Set SharePoint Site Realm Identifier:
   • $realm= "urn:saml:sharepoint"
   • Note:The realm must match the value in OneLogin under the "Configuration" tab of the SharePoint connector.
5. Create OneLogin IdP option in SharePoint:
   • $x=New-SPTrustedIdentityTokenIssuer -Name "OneLoginSharePoint" -Description " OneLoginSharePoint" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $email -SignInUrl  "{WS-Federation Web SSO Endpoint}" –IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
   • Note: Replace the {WS-Federation Web SSO Endpoint} with the URL found in OneLogin under the "Single Sign-on" tab.

After executing the script, the OneLogin identity provider will be listed under Trusted Identity Providers in the Web Application page.

Configure the site to use Trusted Identity Provider

Open "SharePoint 2013 Central Administration" on SharePoint server and create a new Web Application with SSL Enabled or update existing Web Application.

1. Navigate "Application Management"

2. Click "Manage web applications"

   https://lh4.googleusercontent.com/ou87h9emvbfJlx1-hj6694O5LbWBvnTol2GofvO7nnpQdVCdfN4iRCRjsOJAB22TUMr39LFrg-0hlcorJsR0SYhlMZJCnc7yEEZEe5OdyFqDW7sP2NWQwQe9mx-0Ej_trF_QSlU

3. Select a SharePoint Web Application that is SSL Enabled.

   •  Note: "SharePoint Central Administrator" can NOT be used with SSO.

4. Click "Authentication Providers" from the top menu options.

5. Click "Default - Claims Based Authentication"

   https://lh4.googleusercontent.com/_BbjyHJQePl7cWO7lZWbW0eHRKsG5zHWXoyAWqtFKOCA2ogn5mQ8BwEGzqo5zv8Z95zAmbAT7MICJde5J_E0-HUHS2Rkeu4ClhvAS-CVLP2_4Awrp7PFx4QHyZYKy1VCe4sH3Es

6. Check the "Trusted Identity Provider" and select the OneLogin IdP
   **
   **

   https://lh3.googleusercontent.com/2gNigwvWgW-mBQIIDT35myJ8-YW_tpeXQg7zdXf6vhWAnlK5_U0Bzesg2G8ReU3aJ0d2ZcglyY9R3tfU2sKdxAUNhld1xzqERb2VkZ4g0-5kn7M9i866Gm95u3XhyNcBba5_Wd4

7. Click "Save".

Reference: https://onelogin.zendesk.com/hc/en-us/articles/201173964-Configuring-SAML-for-SharePoint-2013

Define the Initial Users

1. Select the web application for which OneLogin IdP is configured 

2. Select "User Policy" from the menu ribbon to bring up the "Policy for Web Application" dialog box.

   https://lh4.googleusercontent.com/uC4bZ9rv3jMJxJttCtOASezhYB-47enktDHiFdCgYUtMnZ4mJ--hVyc67lapbhgihdUYb_Ml77hwOm8C9EoTrTGbUDcmTLeDqBiJIJxS9ebdLIaeW3GviOW6804Kuz7koMF6v3k

3. Select "Add Users" in the menu ribbon. 

4. Select the appropriate zone or select the default "All Zones" and select the "Next" button.

5. From the "Add Users" dialog, select the people picker book in the "Choose Users" section.

6. Select the Trusted Identity Provider in the left frame and enter a group or account name to grant access in the "Find" text box at the top.

7. Click OK.

   https://lh3.googleusercontent.com/SvDaXxs-COmk8hqso1umIYHXEnNRehb7daaSwuA2y1FB551hIrM1-CwTM9T021SZCsetPla5s28Ud1KLmMphrBmuMzW0b6JsoVThTdxgbFvXx0dFphYrJXQ4ZlWxsP_MUcZzeaw

8. Select the Permissions intended for the user or group. 

9. Select the "Finish" button to go back to the "Policy for Web Application" Dialog.

10. Select the "OK" button to close.

Login to SharePoint

Navigate to your web application. You should see a dropdown box with Windows and OneLogin authentication options.

 https://lh5.googleusercontent.com/D4syPkxSh5JEpsQMjXKE6Fm6vvVikydjnTLfzTq-r6AKT4afGRMnaRxN8GIFREsHuFTVk-xwBBIE0Obt7v3rkROF6djLTUU29gbnPkrJ594Qw3JKUkR37HVARQsZy5CfW9zhSL0

The user is taken to OneLogin login page.

https://lh3.googleusercontent.com/GAP3kPxvDuj_GnzvrYf5lpyv2XxnKZwuTAE-xilXtQ5YHVFlTSYQfm80CPk7R2uH5ZC-DjZf_R7VwdiZyf397dtRNDFPYRS62CUfcrHk1m0LqK1eK9jLLgFndMcLSObdh03dN3Y

On successful authentication, the page will be redirected to SharePoint site. If the user has already logged in to OneLogin and has a cookie, that user will not need to enter his/her credentials again.