Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Change Site Address | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/change-site-address.md | The SharePoint mobile apps detect the site's new URL. Make sure that users have **SharePoint web parts** Any embedded URLs in any SharePoint web parts (News, List, etc.) won't be updated and may break. This includes page thumbnail images in news posts existing on the site. After the site address is changed, you might need to update individual web parts to use the new URL. +**SharePoint workflow 2013** +SharePoint workflow 2013 will need to be republished after the site address is changed. + **Sharing links** After the site address is changed, sharing links will automatically redirect to the new URL. |
SharePoint | Enhanced People Picker For Trusted Authentication Method | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/administration/enhanced-people-picker-for-trusted-authentication-method.md | description: "In SharePoint Server Subscription Edition, People Picker is enhanc [!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)] -When modern authentication (a trusted identity provider) such as SAML 1.1 or OIDC 1.0 is used, the People Picker control can't search, resolve, and validate users and groups without writing a custom claim provider through C#. +When modern ("trusted identity provider") authentication such as Security Assertion Markup Language (SAML) 1.1 or OpenID Connect (OIDC) 1.0 is used, the People Picker control can't search, resolve, and validate users and groups. Instead, the default behavior is to resolve any value that is entered, even if it's not a valid claim. In previous versions of SharePoint Server, the only solution was to use a Custom Claims Provider. -In SharePoint Server Subscription Edition, the People Picker has been enhanced to allow resolving users and groups based on their profiles in the User Profile Application (UPA). UPA must be configured to synchronize users and groups from the trusted identity provider membership store. This allows the People Picker to only resolve valid users and groups without requiring a custom claims provider. +In SharePoint Server Subscription Edition (SPSE), the People Picker has been enhanced to allow resolving users and groups based on their profiles in the User Profile Application (UPA, aka: UPSA). The UPA must be configured to synchronize users and groups from the trusted identity provider membership store. This allows the People Picker to resolve valid users and groups without requiring a Custom Claims Provider. -> [!IMPORTANT] -> This article describes how to setup UPA-backed people picker for SAML. For setting UPA-backed people picker for OIDC, see [**OIDC ADFS guide**](/SharePoint/security-for-sharepoint-server/oidc-1-0-authentication#step-7-set-up-people-picker) and [**OIDC Microsoft Entra ID guide**](/SharePoint/security-for-sharepoint-server/oidc-1-0-authentication#step-7-set-up-people-picker-1). +> [!NOTE] +> Using a Custom Claims Provider in SharePoint Server Subscription Edition is still a valid solution to the People Picker problem. If the limitations of the UPA-backed claims provider discussed in this article are too limiting for your organization, see [Create a claims provider in SharePoint](/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint) -Following are the configuration steps to make People Picker work. +> [!IMPORTANT] +> The default user profile import engine included with SharePoint Server, called "Active Directory Import" (AD Import), can only be used to import user profiles from on-premises Active Directory domains and forests. It cannot be configured to import user profiles from Microsoft Entra ID. If you are using OIDC authentication backed by Entra ID, you may consider using a Custom Claims Provider to provide People Picker functionality. -## Step 1: Create a UPABacked SPTrustedIdentityTokenIssuer +Following are the configuration steps to make the UPA-backed People Picker work. -Create a new token issuer using the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) PowerShell cmdlet. +## Step 1: Add a UPA-Backed claim provider to your SPTrustedIdentityTokenIssuer ++> [!NOTE] +> For SAML 1.1 trusted identity token issuers, you can add a UPA-backed claim provider when you create the token issuer, or you can assign one later. +> For OIDC 1.0 trusted identity token issuers, the token issuer must be created first, then you can assign the claim provider. See [Add a UPA backed claim provider to an existing SPTrustedIdentityTokenIssuer](#add-a-upa-backed-claim-provider-to-an-existing-sptrustedidentitytokenissuer) ++### Create a new SPTrustedIdentityTokenIssuer and assign a UPA backed claim provider at the same time ++> [!NOTE] +> This is only available for SAML 1.1 trusted identity token issuers. ++Create a new token issuer using the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) PowerShell cmdlet and assign a claim provider by adding the UseUPABackedClaimProvider switch. ```powershell New-SPTrustedIdentityTokenIssuer Following three parameters need special attention:<br/> `ClaimsMappings` specifies the mapping of claims from the original token to a SharePoint token. By using this parameter, SharePoint understands how to generate a SharePoint token when given a specific token from a user profile service application property.<br/> It accepts a list of `ClaimTypeMapping` objects, which are created by the [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) cmdlet. Following are examples of `ClaimTypeMapping` objects of different types of tokens and these objects can be provided to the `ClaimsMappings` parameter: - ```powershell - $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming - $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming - $roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming - $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming - ``` ++```powershell +$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming +$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming +$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming +$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming +``` - **IdentifierClaim** <br/>-The `IdentifierClaim` parameter specifies which claim type from the trusted STS will be used for the new identity provider. It can be set to the `InputClaimType` of the `ClaimTypeMapping` object created from the [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) cmdlet. +The `IdentifierClaim` parameter specifies which claim type will be used as the identifier claim (typically email or UPN). It can be set to the `InputClaimType` of the `ClaimTypeMapping` object created from the [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) cmdlet. - ```powershell - -IdentifierClaim $emailClaimMap.InputClaimType - ``` +```powershell +-IdentifierClaim $emailClaimMap.InputClaimType +``` - **UseUPABackedClaimProvider** <br/>-This switch parameter enables the People Picker to search and select users and groups from the User Profile Application service. And it creates a `SPClaimProvider`, which has the same name as `SPTrustedIdentityTokenIssuer`. - > [!NOTE] - > This parameter can't be used to create an OIDC SPTrustedTokenIssuer. +This switch parameter enables the People Picker to search and select users and groups from the User Profile Application service. It also creates a `SPClaimProvider`, which has the same name as the `SPTrustedIdentityTokenIssuer`. -### Example +> [!NOTE] +> The "UseUPABackedClaimProvider" parameter can't be used to create an OIDC SPTrustedIdentityTokenIssuer. It can only be used to create a SAML SPTrustedIdentityTokenIssuer. + +**Example:** ```powershell-New-SPTrustedIdentityTokenIssuer -Name "UPATest" -Description "Contoso.local" -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType +# Create a new trusted identity token issuer, and assign a UPA-backed claim provider at the same time +New-SPTrustedIdentityTokenIssuer -Name "UPATest" -Description "Contoso.local" -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -UseUPABackedClaimProvider +``` ++### Add a UPA backed claim provider to an existing SPTrustedIdentityTokenIssuer +The above example shows how to assign a UPA-backed claim provider at the time of trusted identity token issuer creation (for SAML providers only). If you have an existing trusted identity token issuer (either SAML or OIDC) and would like to add a UPA-backed claim provider to it, use the following example. ++> [!NOTE] +> The following PowerShell script samples vary slightly between SAML 1.1 and OIDC 1.0 authentication providers. Please choose the correct sample. ++**Example for SAML** ++```powershell +# Get the existing trusted identity token issuer named "SAML" +$stsidp = Get-SPTrustedIdentityTokenIssuer "SAML" ++# Create the new UPA-backed claim provider +$claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -Description "UPA-Backed" -DisplayName "UPA-Backed Claim Provider" -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $stsidp ++# Set the trusted identity token issuer to use the new claim provider +Set-SPTrustedIdentityTokenIssuer $stsidp -ClaimProvider $claimprovider +``` ++**Example for OIDC** ++```powershell +# Get the existing trusted identity token issuer named "OIDC" +$stsidp = Get-SPTrustedIdentityTokenIssuer "OIDC" ++# Create the new UPA-backed claim provider +$claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -Description "UPA-Backed" -DisplayName "UPA-Backed Claim Provider" -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $stsidp ++# Set the trusted identity token issuer to use the new claim provider +Set-SPTrustedIdentityTokenIssuer $stsidp -ClaimProvider $claimprovider -IsOpenIDConnect ``` ## Step 2: Synchronize profiles to UPSA -You can now start synchronizing profiles into the SharePoint User Profile service application from the identity provider that are used in the organization, so that the newly created claim provider can work on the correct data set. +You can now start synchronizing user profiles into the SharePoint User Profile Service Application (UPSA) from the identity provider that is used in the organization so that the newly created claim provider can work on the correct data set. -Following are the two ways to synchronize user profiles into the SharePoint User Profile service application: +Following are the two ways to synchronize user profiles into the SharePoint User Profile Service Application: - Use SharePoint Active Directory Import (AD Import) with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the synchronization connection setting. To use AD Import, see [Manage user profile synchronization in SharePoint Server](/sharepoint/administration/manage-profile-synchronization). ![Add new synchronization connection.](../media/add-new-sync-connection.png) + > [!IMPORTANT] + > AD Import can only be used to import user profiles from on-premises Active Directory domains and forests. It cannot be configured to import profiles from Entra ID. If you are using OIDC authentication backed by Entra ID, you may instead consider using a Custom Claims Provider to provide People Picker functionality. + - Use Microsoft Identity Manager (MIM). To use MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](/sharepoint/administration/microsoft-identity-manager-in-sharepoint-server-2016). - There should be two agents inside the MIM synchronization Manager UX after MIM is set up. One agent is used to import user profiles from the source IDP to the MIM database. And another agent is used to export user profiles from the MIM database to the SharePoint User Profile service application. During the synchronization, provide the following properties to the User Profile ### a. SPS-ClaimID - Choose unique identity property in the source that will map to the **SPS-ClaimID** property in the User Profile service application (preferred **Email** or **User Principal Name**).-- Set the corresponding **IdentifierClaim** value while creating a token issuer from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet.+- This should be the value for the corresponding **IdentifierClaim** parameter when the trusted identity token issuer was created using the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet. -For AD Import synchronization, the **Central Administration -> Application Management -> Manage service applications -> User Profile Service Application -> Manage User Properties** UX will allow administrators to edit the **SPS-ClaimID** to indicate which property in the source identity provider should be synchronized to **SPS-ClaimID**. For example, if the **SPS-ClaimID** is email, set **Claim User Identifier** as **Email** in this UX. +For AD Import synchronization, the **Central Administration -> Application Management -> Manage service applications -> User Profile Service Application -> Manage User Properties** UX will allow administrators to edit the **SPS-ClaimID** property to indicate which attribute in the source identity provider should be synchronized to **SPS-ClaimID**. This should be the property used as the identifier claim in the trusted identity token issuer. For example, if the identifier claim is email, and users email addresses are stored in the "mail" attribute in Active Directory, set **Claim User Identifier** as **"mail"** in this UX. > [!NOTE] > The display name of **SPS-ClaimID** is **Claim User Identifier** in the UX and administrator can customize the display names.+> +> If you are unsure about your identifier claim, you can check by running this PowerShell: +> `$trust = Get-SPTrustedIdentityTokenIssuer` +> `$trust.IdentityClaimTypeInformation` ![Claim User Identifier.](../media/claim-user-identifier.png) For AD Import synchronization, the **Central Administration -> Application Manag ![Property Mapping for Synchronization.](../media/property-mapping-for-sync.png) -For MIM synchronization, map **Email** or **User Principal Name** to **SPS-ClaimID** in the MIM database to the SharePoint User Profile service application agent: +For MIM synchronization, map your identifier claim (usually **Email** or **User Principal Name**) to **SPS-ClaimID** in the MIM database to the SharePoint User Profile service application agent: - In the MIM synchronization Service Manager, select the agent and open the **Configure Attribute Flow** UX. You can map **mail** to **SPS-ClaimID**. For MIM synchronization, map **Email** or **User Principal Name** to **SPS-Claim ### b. SPS-ClaimProviderID and SPS-ClaimProviderType -For AD Import synchronization, modify the following two properties in the **User Profile Service Application -> Configure Synchronization Connections -> Create New Connection** UX while creating a new AD Import synchronization connection. --- Set **SPS-ClaimProviderID** to the provider name using the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet.-- Set **SPS-ClaimProviderType** to **SPTrustedBackedByUPAClaimProvider**.+> [!NOTE] +> For AD Import synchronization, you only need to update the "Claim User Identifier" (SPS-ClaimID) property mapping. Unlike MIM synchronization, you do NOT need to map "Claim Provider Identifier" (SPS-ClaimProviderID) and "Claim Provider Type" (SPS-ClaimProviderType). For MIM synchronization, set these two properties in the **Configure Attribute Flow** UX for the MIM database to SharePoint User Profile service application agent: For MIM synchronization, set these two properties in the **Configure Attribute F ## Step 3: Make groups searchable -To enable the People Picker control to work with groups, run the following steps: --1. Ensure that the Group object has a property named **SID** of type **groupsid** in the identity provider. <br/>You can create a `ClaimTypeMapping` object using [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) and then provide this object to [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet with `-ClaimsMappings` parameter. +> [!IMPORTANT] +> Using the UPA-backed claims provider to resolve security groups only works if the groups Security Identifier (SID) is used, and the groups are imported into the User Profile Service Application. +> If you are using OIDC authentication backed by Entra ID, be advised that cloud-only groups do not have a SID, nor can AD Import synchronize with Entra ID. +> If you need to use cloud-only users or groups within your SharePoint site permissions, a Custom Claims Provider may be the only solution. - ```powershell - $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming - $tokenissuer = New-SPTrustedIdentityTokenIssuer -ClaimsMappings $sidClaimMap, $emailClaimMap ... - ``` +To enable the People Picker control to work with security groups, complete the following steps: - This sample cmdlets creates a `claimmap` object of type `groupsid` and indicates that it works with the **SID** property of the group. Then it creates a new identity issuer, which can understand this mapping. +1. Ensure that the Group object has a property named **SID** of type **groupsid** in the identity provider. <br/>If you don't already have a claim mapping for "groupSID", you can create a `ClaimTypeMapping` object using [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) and then provide this object to [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet with `-ClaimsMappings` parameter. -2. Synchronize **SID** property of groups from the identity provider to the **SID** property in User Profile service application. +**Example:** - - For AD Import synchronization, SID will synchronize automatically from the source identity provider to the SharePoint User Profile service application. - - For MIM synchronization, take the property mapping from the identity provider to MIM and then from MIM to the SharePoint User Profile service application so that MIM can synchronize the group **SID** from the identity provider to the SharePoint User Profile service application. It's like how we do user profile synchronization for the **SPS-ClaimID** property for user profiles. +```powershell +# Add Group SID as a claim type to an existing trusted provider named "SAML" +$Trust = Get-SPTrustedIdentityTokenIssuer -Identity "SAML" +$Trust.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid") +$Trust.Update() ++# Add a claim mapping for Group SID +$GroupSidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "Group SID" -SameAsIncoming +$Trust = Get-SPTrustedIdentityTokenIssuer "SAML" +Add-SPClaimTypeMapping ΓÇôTrustedIdentityTokenIssuer $Trust -Identity $GroupSidClaimMaps +``` - > [!Note] - > For MIM synchronization, map **sAMAccountName** to **accountName** from MIM to the SharePoint User Profile service application. +2. Synchronize **SID** property of groups from the identity provider to the **SID** property in User Profile Service Application. -## Step 4: Enable fields being searchable in UPSA + - For AD Import synchronization, the SID property will synchronize automatically from the source identity provider to the SharePoint User Profile Service Application. + - For MIM synchronization, take the property mapping from the identity provider to MIM and then from MIM to the SharePoint User Profile service application so that MIM can synchronize the group **SID** from the identity provider to the SharePoint User Profile service application. The steps are similar to how the **SPS-ClaimID** property was mapped for user profiles, only in this case, the mappings for the "group" object type are updated. -To make people picker work, the final step is to enable fields to be searchable in User Profile service application. + > [!Note] + > For MIM synchronization, also map **sAMAccountName** to **accountName** for the Group object from MIM to the SharePoint User Profile service application. -Users can set which properties are searched by the People Picker by following this sample PowerShell script. +## Step 4: Set properties as searchable in the UPSA -- Get the property list of the User Profile service application, which is connected with a given web application.+To make people picker work, the final step is to enable which properties will be searchable in User Profile Service Application. - ```powershell - $site = $(Get-SPWebApplication $WebApplicationName).Sites[0] - $context= Get-SPServiceContext $site - $psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context) - $ps = $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User)) - $properties = $ps.Properties - ``` +Administrators can set which properties are searched by the People Picker by following this sample PowerShell script. -- Enable people picker search for property name **FirstName**, **LastName**, and **SPS-ClaimID**+```powershell +# Get the UPA property list +$site = $(Get-SPWebApplication $WebApplicationName).Sites[0] +$context = Get-SPServiceContext $site +$psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context) +$ps = $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User)) +$properties = $ps.Properties ++# Set the proerties defined in $PropertyNames as searchable. +# In this example, we set First Name, Last Name, claim ID, email address, and PreferredName as searchable for the People Picker. +$PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID', 'WorkEmail', 'PreferredName' +foreach ($p in $PropertyNames) { + $property = $properties.GetPropertyByName($p) + if ($property) { + $property.CoreProperty.IsPeoplePickerSearchable = $true + $property.CoreProperty.Commit() + $property.Commit() + } +} +``` - ```powershell - $PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID' - foreach ($p in $PropertyNames) { - $property = $properties.GetPropertyByName($p) - if ($property) { - $property.CoreProperty.IsPeoplePickerSearchable = $true - $property.CoreProperty.Commit() - $property.Commit() - } +To check which UPSA properties have been enabled for People Picker search, you can use the following PowerShell sample: +```powershell +# Get the UPA property list +$site = $(Get-SPWebApplication $WebApplicationName).Sites[0] +$context = Get-SPServiceContext $site +$psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context) +$ps = $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User)) +$properties = $ps.Properties ++# Set the proerties defined in $PropertyNames as searchable. +# In this example, we set First Name, Last Name, claim ID, email address, and PreferredName as searchable for the People Picker. +$PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID', 'WorkEmail', 'PreferredName' +foreach ($p in $PropertyNames) { + $property = $properties.GetPropertyByName($p) + if ($property) { + $property.CoreProperty.IsPeoplePickerSearchable = $true + $property.CoreProperty.Commit() + $property.Commit() }- ``` +} +``` |
SharePoint | Set Up Oidc Auth In Sharepoint Server With Msaad | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md | To create a new web application, do the following: 2. Follow [Create a web application in SharePoint Server](../administration/create-a-web-application.md) to create a new web application enabling HTTPS/Secure Sockets Layer (SSL) named SharePoint - OIDC on contoso.local. 3. Open the SharePoint Central Administration site.- 4. Open the web application you created and pick **contoso.local** as **Trusted Identity Provider**. + 4. Select the web application you created, choose "Authentication Providers" in the Ribbon, click the link for the Default zone, and pick **contoso.local** as **Trusted Identity Provider**. :::image type="content" source="../media/authentication-providers.jpg" alt-text="Authentication Providers"::: To create a new web application, do the following: :::image type="content" source="../media/new-web-application.png" alt-text="New web application"::: -To extend an existing web application, do the following: +To extend an existing web application and configure it to use the "contoso.local" trusted provider, do the following: -1. Start the SharePoint Management Shell and run the following script: +1. Start the SharePoint Management Shell and run PowerShell to extend the web application: - ```powershell - # This script creates a trusted authentication provider for OIDC - - $sptrust = Get-SPTrustedIdentityTokenIssuer "Contoso.local" - $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust - ``` -- 2. Open the SharePoint Central Administration site. - 3. Open the web application you want to extend OIDC authentication to and pick **contoso.local** as **Trusted Identity Provider**. -- :::image type="content" source="../media/authentication-providers-2.jpg" alt-text="Authentication Providers 2"::: -- 4. In the SharePoint Central Administration site, navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**. - 5. Filter the display with the web application that was extended and confirm that you see the following information: +**Example:** + ```powershell + # Get the trusted provider + $sptrust = Get-SPTrustedIdentityTokenIssuer "Contoso.local" + $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust + # Get the web app + $wa = Get-SPWebApplication http://spsites + # Extend the web app to the "Intranet" zone using trusted provider auth and a SharePoint managed certificate called "SharePoint OIDC Site" + New-SPWebApplicationExtension -Identity $wa -Name "spsites" -port 443 -HostHeader 'spsites.contoso.local'-AuthenticationProvider $ap -SecureSocketsLayer -UseServerNameIndication -Certificate 'SharePoint OIDC Site' -Zone 'Intranet' -URL 'https://spsites.contoso.local' + ``` + 2. In the SharePoint Central Administration site, navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**. + 3. Filter the display with the web application that was extended and confirm that you see the following information: :::image type="content" source="../media/sharepoint-administration-site.png" alt-text="SharePoint Administration Site"::: ## Step 5: Ensure the web application is configured with SSL certificate -Since OIDC 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. Perform the following steps to set the certificate: +Since OIDC 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. If not already configured, perform the following steps to set the certificate: 1. Generate the site certificate: In this step, you create a team site collection with two administrators: One as 11. Go to the account and select **OK** to close the People Picker dialog. 12. Select **OK** again to create the site collection. -Once the site collection is created, you're able to sign-in using either the Windows or the federated site collection administrator account. +Once the site collection is created, should be able to sign-in using either the Windows or the federated site collection administrator account. ## Step 7: Set up People Picker -In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed using the new UPA-backed claim provider in SharePoint Server. --To do this, perform the following steps: --### 1. Create a new claim provider --In the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), you already created an OIDC `SPTrustedIdentityTokenIssuer` by using `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet. In this step, you use the following PowerShell cmdlet to create a claim provider, which uses the User Profile Application service to search and resolve users and groups in the People Picker and specifies to use the OIDC `SPTrustedIdentityTokenIssuer`: -- ```powershell - $claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -DisplayName 'OIDC Claim Provider' -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $tokenissuer -Description ΓÇ£OIDC Claim ProviderΓÇ¥ -Default:$false - ``` --Specify the following parameters: --| Parameter | Description | -||-| -| AssemblyName | To be specified as `Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c`. | -| Type | To be specified as `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider` so that this command creates a claim provider, which uses UPA as the claim source. | -| TrustedTokenIssuer | To be specified as the OIDC `SPTrustedIdentityTokenIssuer` created in the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-provider), which uses this claim provider. This is a new parameter the user needs to provide when the type of the claim provider is `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider`. | -| Default | As we create a claim provider by using this cmdlet, this cmdlet can only work with `SPTrustedIdentityTokenIssuer` and `Default` parameter must be set to false so that it won't be used by any other authentication method assigned to the web application by default. | --### 2. Connect `SPTrustedIdentityTokenIssuer` with `SPClaimProvider` --In this step, the OIDC `SPTrustedIdentityTokenIssuer` uses the claim provider created in [step 1](#1-create-a-new-claim-provider) for searching and resolving users and groups: -- ```powershell - Set-SPTrustedIdentityTokenIssuer <token issuer name> -ClaimProvider <claim provider object> -IsOpenIDConnect - ``` --Specify the following parameters: --| Parameter | Description | -||-| -| token issuer name | The token issuer this People Picker will use. | -| -ClaimProvider | The `SPClaimProvider`, which will be used to generate claim. | -| -IsOpenIDConnect | Required when `SPTrustedIdentityTokenIssuer` is OIDC `SPTrustedIdentityTokenIssuer`. Without this parameter, OIDC `SPTrustedIdentityTokenIssuer` configuration fails. | --An example of this command is: -- ```powershell - $claimprovider = Get-SPClaimProvider -Identity "UPATest" - Set-SPTrustedIdentityTokenIssuer "ADFS Provider" -ClaimProvider $claimprovider -IsOpenIDConnect - ``` --### 3. Synchronize profiles to user profile service application --Now, customers can start to synchronize profiles into the SharePoint user profile service application (UPSA) from the identity provider used in the organization so that the newly created claim provider can work on the correct data set. --There are two ways to synchronize user profiles into the SharePoint UPSA: --- Create a new SharePoint Active Directory Import (AD Import) connection with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the connection setting. To utilize AD Import, see [Manage user profile synchronization in SharePoint Server](../administration/manage-profile-synchronization.md).-- :::image type="content" source="../media/add-new-sync-connection-2.png" alt-text="Add New Synchronization Connections"::: --- Use Microsoft Identity Manager (MIM). To utilize MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](../administration/microsoft-identity-manager-in-sharepoint-server.md).- - There should be two agents inside the MIM Synchronization Service Manager UX after MIM is set up. One agent is used to import user profiles from the source IDP to the MIM database. The other agent is used to export user profiles from the MIM database to the SharePoint UPSA. --During the synchronization, the following three properties must be provided to the UPSA: --- `SPS-ClaimID`-- `SPS-ClaimProviderID`-- `SPS-ClaimProviderType`-- 1. `SPS-ClaimID` -- During the synchronization, you must pick which unique identity property in the source is mapped to the `SPS-ClaimID` property in the UPSA. We suggest using **Email** or **User Principal Name** for the `SPS-ClaimID`. The corresponding **IdentifierClaim** value needs to be set when token issuer is created from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet. -- For AD Import synchronization, **Central Administration > Application Management > Manage service applications > User Profile Service Application > Manage User Properties** allows administrators to edit the `SPS-ClaimID` to indicate which property in the source identity provider should be synchronized to `SPS-ClaimID`. (The display name of this property is **Claim User Identifier** and it can be customized to other display names by the administrator.) For example, if email is to be used as the `SPS-ClaimID`, **Claim User Identifier** should be set to **Email**. -- :::image type="content" source="../media/SPS-ClaimID-1.png" alt-text="SPS-ClaimID"::: - :::image type="content" source="../media/SPS-ClaimID-2.png" alt-text="SPS-ClaimProviderID"::: - :::image type="content" source="../media/SPS-ClaimID-3.png" alt-text="SPS-ClaimProviderType"::: -- MIM synchronization is done by mapping **Email** or **User Principal Name** to `SPS-ClaimID` in the MIM database to the SharePoint UPSA agent: - - In the MIM Synchronization Service Manager, select the agent and open the **Configure Attribute Flow**. You can map **mail** to `SPS-ClaimID`. -- :::image type="content" source="../media/SPS-ClaimID-4.png" alt-text="SPS-ClaimID4"::: -- 2. `SPS-ClaimProviderID` and `SPS-ClaimProviderType` -- For AD Import synchronization, these properties can be modified in **User Profile Service Application > Configure Synchronization Connections > Create New Connection** when you create a new AD Import synchronization connection. -- - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet. - - `SPS-ClaimProviderType` should be set to `SPTrustedBackedByUPAClaimProvider`. -- For MIM synchronization, these properties can be set in the **Configure Attribute Flow** for the MIM database to SharePoint UPSA agent: -- - `SPS-ClaimProviderType` should be set to **Trusted** as Constant type. - - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet. -- :::image type="content" source="../media/configure-attribute-flow-2.png" alt-text="Configure Attribute Flow"::: --### 4. Make groups searchable --Perform the following steps to enable the People Picker control to work with groups: --1. Group object must have a property named `SID` of type `groupid` in the identity provider. -- You can create a `ClaimTypeMapping` object by using [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) and then provide this object to [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet with `-ClaimsMappings` parameter. -- ```powershell - $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming - $tokenissuer = New-SPTrustedIdentityTokenIssuer -ClaimsMappings $sidClaimMap, $emailClaimMap - ``` -- This sample cmdlet first creates a `claimmap` object of type `groupsid` and indicates that it works with the `SID` property of the group and then creates a new identity issuer, which can understand this mapping. --2. Synchronize `SID` property of groups from the identity provider to the `SID` property in UPSA. - 1. For AD Import synchronization, `SID` is synchronized automatically without other setup from the source identity provider to the SharePoint UPSA. - 2. For MIM synchronization, the property mapping needs to be taken from the identity provider to MIM and then from MIM to the SharePoint UPSA so that MIM can synchronize the group `SID` from the identity provider to the SharePoint UPSA. This is similar to how we do user profile synchronization for the `SPS-ClaimID` property for user profiles. --1. For MIM synchronization, `sAMAccountName` should also be mapped to `accountName` from MIM to the SharePoint UPSA. If it doesnΓÇÖt exist, admin should create mapping pair from `sAMAccountName` to `accountName` in MIM manually. --### 5. Enable fields being searchable in UPSA --To make People Picker work, the final step is to enable fields to be searchable in UPSA. --Users can set which properties are searched by the People Picker by following this sample PowerShell script: -- ```powershell - #Get the property list of UPSA connected with the web application - $site = $(Get-SPWebApplication $WebApplicationName).Sites[0] - $context= Get-SPServiceContext $site - $psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context) - $ps = - $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User)) - $properties = $ps.Properties -- #Enable people picker search for property name 'FistName', 'LastName' and 'SPS-ClaimID' - $PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID' - foreach ($p in $PropertyNames) { - $property = $properties.GetPropertyByName($p) - if ($property) { - $property.CoreProperty.IsPeoplePickerSearchable = $true - $property.CoreProperty.Commit() - $property.Commit() - } - } - ``` +In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed either by using a Custom Claims Provider, or by using the new UPA-backed claim provider included in SharePoint Server Subscription Edition. To configure a UPA-backed claim provider, see [Enhanced People Picker for modern authentication](/sharepoint/administration/enhanced-people-picker-for-trusted-authentication-method) |