Agent for SharePoint Guide › Features to Set Up Following Basic Installation and Configuration of the CA SiteMinder® Agent for SharePoint › Claims Provider › Configure the Claims Provider

Configure the Claims Provider

After you install the CA SiteMinder® Claims provider, add the claims search service and update the claims provider of the trusted identity token issuer:

Follow these steps:

1. Update the claims provider of the trusted identity token issuer.
2. Add the Claims search service.

After you add the Claims Search service, you can also configure the Claims Provider to suit your needs with any of the following optional procedures:

• Create SharePoint policies with place holders for expected directory attribute values.
• Change how directory attributes appear in the SharePoint people picker.

Update the Claims Provider of the Trusted Identity Token Issuer

The Update-SMTrustedIdentityTokenIssuer command updates the claims provider of a trusted identity token issuer to CASiteMinderClaimProvider.

Follow these steps:

1. Click Start, All Programs, Microsoft SharePoint 2010 Products, the SharePoint 2010 Management Shell.

   The SharePoint 2010 Management Shell command prompt appears.

2. Navigate to the following directory:

    C:\Program Files\CA\SharePointClaimsProvider\scripts
   

3. Enter the update command. This command has the following format:

   Update-SMTrustedIdentityTokenIssuer.ps1 -TrustedIdentityTokenIssuer “Name_of_Trusted_Identity_Provider_registered_with_SharePoint”
   

   TrustedIdentityTokenIssuer

   Specifies the name of the CA SiteMinder® trusted identity token issuer (trusted login provider) to update.

   Example:

   .\Update-SMTrustedIdentityTokenIssuer.ps1 -TrustedIdentityTokenIssuer “SiteMinder Federation”
   

   The SharePoint central administration server is updated with the new claims provider of the trusted identity token issuer.

Add Claims Search Web Service

Add the claims search web service used in the CA SiteMinder® Agent for SharePoint to specific SharePoint web applications by executing the Add-SMClaimSearchService command. The changes made by this script are reflected across the SharePoint Farm.

Follow these steps:

1. Click Start, All Programs, Microsoft SharePoint 2010 Products, the SharePoint 2010 Management Shell.

   The SharePoint 2010 Management Shell command prompt appears.

2. Navigate to the following directory:

   C:\Program Files\CA\SharePointClaimsProvider\scripts
   

3. Enter the add command. This command has the following format:

   Add-SMClaimSearchService.ps1 -WebApplication <URL_of_web_application> -claimSearchService <URL_of_claim_search_service_in_spagent>
   

   WebApplication

   Specifies the URL of the web application.

   claimSearchService

   Specifies the URL of the claim search service running in CA SiteMinder® Agent for SharePoint.

   Example:

   .\Add-SMClaimSearchService.ps1 -WebApplication http://myhostname:1234 -claimSearchService http://spagent.ca.com:2345/ClaimsWS/services/WSSharePointClaimsServiceImpl
   

   The claims search web service is added to the web.conf file of the web application.

4. Enter the add command again, to add the claims web search service to the web.conf file of the SharePoint Central Administration.

   Add-SMClaimSearchService.ps1 -WebApplication <Central_Administration_URL> -claimSearchService <URL_of_claim_search_service_in_spagent>
   

   WebApplication

   Specifies the URL of the SharePoint Central Administration website.

   claimSearchService

   Specifies the URL of the claim search service running in the CA SiteMinder® Agent for SharePoint. Add the port number you specified for the Claims WS of the CA SiteMinder® Agent for SharePoint when you ran the Configuration wizard to the end of the URL.

   Example:

   .\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_server_name:1221 -claimSearchService http://spagent.ca.com:2345/ClaimsWS/services/WSSharePointClaimsServiceImpl
   

   The claims search web service is added to the web.conf file of the SharePoint Central Administration.

More information:

CA SiteMinder® Agent for SharePoint Configuration Wizard Information Worksheet

Create SharePoint Policies with Placeholders for Expected Directory Attributes

The CA SiteMinder® Agent for SharePoint has a client loopback feature that lets you create policies in your SharePoint environment using directory attribute values that do not yet exist.

For example, suppose that your directory server contains an attribute named employeeType, and the employeeType attribute uses one of the following values for each user:

• Employee
• Contractor
• Manager
• Executive

For example, suppose you want to create an attribute value for the employeeType attribute named Vendor in your directory servers to use with SharePoint.

If a different group in your organization manages the directory servers, that task is beyond your control. The Claims Provider creates placeholders for the new attribute values using the loopback feature.

In this example, use the loopback feature so that the Vendor attribute value exists in your SharePoint environment it appears in the directory servers. New attribute values let you create SharePoint policies whenever you want, without waiting for your administrator to add the actual attribute values to your directory.

Follow these steps:

1. Click Start, All Programs, Microsoft SharePoint 2010 Products, SharePoint 2010 Management Shell.

   The management shell command line window opens.

2. Navigate to the following directory:

   C:\Program Files\CA\SharePointClaimsProvider\scripts
   

3. Enter the following command:

   .\Set-SMClaimProviderConfiguration.ps1 -EnableLoopBackSearch
   

   Loopback search is enabled.

4. Use the SharePoint people picker to search the new attribute values you want.

   A placeholder for the new attribute value is added to SharePoint using the loopback search function.

5. Repeat Step 4 to add additional placeholders for more attribute values.
6. (Optional) After adding your placeholders, disable support for the loopback search function by doing the following steps:
   1. Repeat Steps 1 and 2.
   2. Enter the following command:

      .\Set-SMClaimProviderConfiguration.ps1 -DisableLoopBackSearch
      

      Loopback search is disabled.

Change How Directory Attributes Appear in the SharePoint People Picker

You can customize how certain directory attributes from your SiteMinder user directories appear in the SharePoint people picker.

Change how directory attributes appear in the SharePoint people picker

1. Click Start, All Programs, Microsoft SharePoint 2010 Products, SharePoint 2010 Management Shell.

   The management shell command line window opens.

2. Navigate to the following directory:

   C:\Program Files\CA\SharePointClaimsProvider\scripts
   

3. Enter the .\Set-SMClaimProviderConfiguration.ps1 command with one of the following options:

   -UserNameFormat

   Specifies how the user names for which you search appear in the SharePoint people picker. Use one of the following options:

   ValueOnly

   Displays only the value of the identifier claim attribute in your directory server associated with the user. For example, if your uid is user_number, then only user_number appears in your search results.

   Example: user_0001

   DisplaynameOnly

   Displays only the name of the user, using the format specified in your SiteMinder directory.

   Example: last_name_of_user, first_name_of_user

   DisplaynameAppended

   Displays the name of the user, and the value of the identifier claim attribute in your directory server associated with the user.

   Example: user_0001 (last_name_of_user, first_name_of_user)

   -GroupNameFormat

   Specifies how the group names for which you search appear in the SharePoint people picker. Use one of the following options:

   ValueOnly

   Displays only the domain name (DN) value of the group claim attribute in your directory server associated with the user.

   Example: OU=group_0001, DC=example, DC=COM

   DisplaynameOnly

   Displays only the name of the group, using the format specified in your SiteMinder directory.

   Example: group_name

   DisplaynameAppended

   Displays the name of the group, and the value of the group claim attribute in your directory server associated with the user.

   Example: group_name OU=group_0001, DC=example, DC=COM

   The appearance of the directory attributes is changed.

Remove Claims Search Web Service

The Remove-SMClaimSearchService command removes the changes made in the web.config file. The script identifies the modifications made by the user from the CASiteMinderSharePoint2010Agent_ClaimsSearchServiceEndpoint file.

Follow these steps:

1. Click Start, All Programs, Microsoft SharePoint 2010 Products, the SharePoint 2010 Management Shell.

   The SharePoint 2010 Management Shell command prompt appears.

2. Navigate to the folloiwng directory:

   C:\Program Files\CA\SharePointClaimsProvider\scripts
   

3. Enter the remove command. This command has the following format:

   Remove-SMClaimSearchService.ps1 -WebApplication <URL_of_web_application>
   

   WebApplication

   Specifies the URL of the web application.

   Example:

   .\Remove-SMClaimSearchService.ps1 -WebApplication http://myhostname:1234
   

   The changes made in the web.config file are removed.