I recently had the chance to work with Site minder as an Authentication mechanism for SharePoint 2010. It has been fun to play with and see how it works. This post is really a few notes about how to setup the SharePoint side, not the Site minder side. Firstly the script to add Site minder as a Trusted Identity Provider is the same as all of the other ones you have seen.
As a note for my implementation I had a chain of certificates so had to add multiple certs into SharePoint.
## Add Certificates to SharePoint ##
$rootcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("{Path to Root Cert}")
New-SPTrustedRootAuthority -Name "SM Root Certificate" -Certificate $rootcert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("Path to Issuing Cert")
New-SPTrustedRootAuthority -Name "SM Issuing Certificate" -Certificate $cert
$signcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("{Path to signing Cert}")
New-SPTrustedRootAuthority -Name "SM Signing Certificate" -Certificate $signcert
## Create Claim Mappings ##
## Using Username, Display Name, Email and Security Group ##
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/useridentifier" -IncomingClaimTypeDisplayName "Username" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/smuserdisplayname" -IncomingClaimTypeDisplayName "Display Name" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/email" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/smusergroups" -IncomingClaimTypeDisplayName "Groups" -SameAsIncoming
## Set the Realm ##
$realm = "urn:sharepoint_realm_dev"
## Signing URL, Site minder Proxy URL end point ##
$signinurl = http://{url}/affwebservices/public/wsfeddispatcher
## Add Trusted Identity Provider ##
$ap = New-SPTrustedIdentityTokenIssuer -Name "Site Minder IDP" -Description "Site Minder IDP " -realm $realm -ImportTrustCertificate $signcert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType –UseWReply
Once you run this one that will create the Identity Provider within SharePoint. Once you test it you will probably find that the login process may just endlessly loop, if so you need to perform the following on the SharePoint Server.
## Update LogonTokenCacheExpirationWindow to be less than Site Minder Time out ##
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
The login should now, however you may not want it to be set to 1 minute, so check what the Site minder is set to, normally a few minutes, change that and then modify accordingly. Now that is completed you will find that you will struggle to resolve user and groups from within the People Picker. To resolve this you will need to install the following on the server:
ca-spclaims-12.5-win64.exe
This will install the claim provider components that we need to resolve the people picker. Now access the following directory from a SharePoint PowerShell window:
C:\Program Files\CA\SharePointClaimsProvider\scripts
Form the PowerShell windows you need to run the following command:
## Set the Claim Provider for the Identity Provider ##
.\Update-SMTrustedIdentityTokenIssuer.ps1 -TrustedIdentityTokenIssuer "Site Minder IDP"
This will set the claims provider for the identity provider. Now we need to wire up the claims provider to a web service that resides on the proxy agent using the following command. You will need to run this command for each web application and for central administration.
## Connect the people picker to the Proxy People Web Service for the Web Application ##
.\ADD-SMClaimSearchService.ps1 -WebApplication http://{web-application-url} -claimSearchService http://{proxy-url}:8080/ClaimsWS/services/WSSharePointClaimsServiceImpl
## Connect the people picker to the Proxy People Web Service for Central Administration ##
.\ADD-SMClaimSearchService.ps1 -WebApplication http://{central-admin-web-application-url} -claimSearchService http://{proxy-url}:8080/ClaimsWS/services/WSSharePointClaimsServiceImpl
The final step is to set the properties that will show in the people picker, so nice display names etc. for users and groups. Using the following two commands will set the display names to friendly values instead of what the base claim provider renders.
## Set the Display Name Format for both users and groups ##
.\Set-SMClaimProviderConfiguration.ps1 -UserNameFormat DisplaynameOnly
.\Set-SMClaimProviderConfiguration.ps1 -GroupNameFormat DisplaynameOnly
This will get you working with Site minder in SharePoint 2010. :-)