SharePoint 2013 integration using WS-federation - SSO

These pages describes how to integrate SharePoint 2013 with Ubisecure SSO using the WS-Federation protocol. The knowledge of basic Ubisecure SSO management (e.g. creating agents and authorization policies) is necessary to perform the necessary configuration steps.

The result is a SharePoint 2013 environment, where the Ubisecure SSO handles user authentication. This enables the flexible use of strong authentication mechanisms not natively supported by SharePoint or ADFS 2.0. High-level access control and authorization policies are centrally managed through the Ubilogin Management application. 

Related Pages

Use the following references to guide you to other topics related to the SharePoint Integration.

Page

DESCRIPTION

SSO Management

Describes main user tasks in the Ubilogin Management application of the Ubisecure SSO application.

Windows Authentication Provider

Describes how to install and configure Windows Authentication Provider, which enables local domain users to sign-in using Windows SSO

SSO Active Directory integration

Describes how to link Ubisecure SSO to an existing AD instance, enabling local domain users to sign-in using their Windows username and password, enables linking of third-party credentials to an AD account, use of SMS and OTP authentication methods.



Figure 1. SharePoint 2013 Integration architecture overview

Prerequisites

  • SharePoint 2013 is installed: SharePoint has been installed and you can access SharePoint Central Administration as Administrator. For instance, by following the guide: Test Lab Guide: Configure SharePoint Server 2013 as a Single Server with Microsoft SQL Server you can set up a simple SharePoint environment: https://technet.microsoft.com/en-us/library/cc262243.aspx
  • Ubisecure SSO is installed: Ubisecure SSO is installed and you can log in as Administrator. Test users have been created.

In this guide, it is assumed that both SharePoint and Ubisecure SSO are running in its own server. Other configurations are technically possible (subject to standard hardware and software limitations), but have not been explicitly tested. 

Terminology

Some terms are called by different names in the SharePoint environment. Here is a summary of the exchangeable terms.

Microsoft

SAML2 / Ubisecure SSO

Claim

Assertion Attribute

Claims Provider

Identity Provider

Claim Rule

Authorization Policy / Authorization Policy Attribute

Relying Party

Service Provider


Authentication process

In the authentication process, Ubisecure SSO provides the identity to SharePoint in the form of claims. The identity protocol used between Ubisecure SSO and SharePoint is WS-Federation. 
From the SharePoint's point of view, Ubisecure SSO acts as an identity provider (claim provider) and from Ubisecure SSO's point of view, SharePoint acts as a service provider (relying party). 
This document does not cover the installation of Windows Authentication Provider and configuration of required user account mappings. These tasks are documented in the Ubisecure Windows Authentication Provider guide and Ubisecure Active Directory Integration guide.