The SharePoint claims provider lets you search your CA SiteMinder® directories with the SharePoint people picker.
The following table describes the relationships between the search criteria you enter in the people picker and the search results that appear:
|
When you search for this attribute in the SharePoint people picker: |
The SharePoint people picker returns the following results: |
|
User identifier or display name. |
The user identifier or the display name of the user |
|
Group name |
The friendly name associated with the smusergroup attribute |
|
Other attributes (such as claim names based on a role) |
The attribute value you associated with the role. |
Virtual attribute mappings create relationships between the attributes from your SiteMinder user directories and the SiteMinder claims provider. These mappings allow SiteMinder to search your user directories for claims, and display the results in the SharePoint people picker.
The following types of claims are supported:
Note: Configuring this feature requires information from several systems or administrators in your organization. Work with the administrators for your SharePoint environment and with administrators for the user directories in your organization.
To search the user directory in your CA SiteMinder® environment using the SharePoint people picker, create virtual attribute mappings. The CA SiteMinder® Agent for SharePoint requires at least one attribute mapping for claims that are based on the ID of a user. Create additional mappings to accommodate your needs.
Each additional mapping creates another association between a specific attribute in your user directory and the Agent for SharePoint. The people picker in SharePoint uses these associations to search your user directory using the values you specify. For example, you can create an attribute mapping that lets you search by user name, group name or email address.
The following table identifies the typical LDAP directory attribute mappings and describes how they are used in your CA SiteMinder® and SharePoint environments:
|
For LDAP |
Create a CA SiteMinder® virtual attribute to search for this claim with the people picker. |
Create a CA SiteMinder® virtual attribute so the friendly names appear in the people picker next to the corresponding claim values. |
Enter these corresponding values in the SharePoint Connection wizard. |
(Optional) Customize the display name for the people picker |
|||
|
Purpose |
1. Use this name for your virtual attribute. |
2. Enter the name of the directory attribute you want to use for the claim value. |
3. Use this name for the CA SiteMinder® virtual attribute. |
4. Use this name for the directory attribute you want to use as a claim value. |
5. To define the claim in the connection wizard: |
6. To define the attribute value for the claim in the connection wizard: |
7. Replace the string following the -IncomingClaimTypeDisplayName with this value: |
|
Mandatory User claim that uniquely identifies the user. |
useridentifier |
uid |
smuserdisplayname |
displayName |
Enter the following value in the Identifier Claim Name field: useridentifier |
Enter the following value in the Directory Attribute field: uid |
User ID |
|
(Optional) |
smusergroups |
Description |
Not required for group-based claims. |
Click the Attribute drop-down list and then select the following value: smusergroups |
Not required. The connection wizard configures this setting automatically. |
Group |
|
|
(Optional) |
userrole |
employeeType |
Not supported. |
1. Click the Attribute drop-down list and then select the following value: NameValue 2. Click the Claim type drop-down list and select the following value: User Attribute
3. Click the Claim Name field and enter the following value: userrole |
Enter the following value in the Directory Attribute field: employeeType |
Role |
|
To search the user directory in your CA SiteMinder® environment using the SharePoint people picker, create virtual attribute mappings. The CA SiteMinder® Agent for SharePoint requires at least one attribute mapping for claims that are based on the ID of a user. Create additional mappings to accommodate your needs.
Each additional mapping creates another association between a specific attribute in your user directory and the Agent for SharePoint. The people picker in SharePoint uses these associations to search your user directories using the values you specify. For example, you can create an attribute mapping that lets you search by user name, group name or email address.
The following table identifies the typical Microsoft Active Directory attribute mappings and describes how they are used in your CA SiteMinder® and SharePoint environments:
|
For Active |
Create a CA SiteMinder® virtual attribute to search for this claim with the people picker. |
Create a CA SiteMinder® virtual attribute so the friendly names appear in the people picker next to the corresponding claim values. |
Enter these corresponding values in the SharePoint Connection wizard. |
(Optional) Customize the display name for the people picker |
|||
|
Purpose |
1. Use this name for your virtual attribute. |
2. Enter the name of the directory attribute you want to use for the claim value. |
3. Use this name for the CA SiteMinder® virtual attribute. |
4. Use this name for the directory attribute you want to use as a claim value. |
5. To define the claim in the connection wizard: |
6. To define the attribute value for the claim in the connection wizard: |
7. Replace the string following the -IncomingClaimTypeDisplayName with this value: |
|
Mandatory User claim that uniquely identifies the user. |
useridentifier |
sAMAccountName |
smuserdisplayname |
displayName |
Enter the following value in the Identifier Claim Name field: useridentifier |
Enter the following value in the Directory Attribute field: sAMAccountName |
User ID |
|
(Optional) |
smusergroups |
name (use the friendly name of your groups). |
Not required for group-based claims. |
Click the Attribute drop-down list and then select the following value: smusergroups |
Not required. The connection wizard automatically configures this setting. |
Group |
|
|
(Optional) |
userrole |
countryCode |
Not supported. |
1. Click the Attribute drop-down list and then select the following value: NameValue 2. Click the Claim type drop-down list and select the following value: User Attribute
3. Click the Claim Name field and enter the following value: userrole |
Enter the following value in the Directory Attribute field: countryCode |
Role |
|
Integration with SharePoint requires at least one claim that contains an identifier that uniquely identifies the user. These claims often appear in the people picker as cryptic values, such as the following example:
uid=e123456
Such claims are difficult to associate with the intended user. The CA SiteMinder® Agent for SharePoint uses a special attribute mapping which retrieves the display name of the user. This user name appears next to the related identifier claim in the people picker. After this user mapping is configured, the previous example appears in the people picker like the following one:
uid=e123456 associated_user_name
The CA SiteMinder® Agent for SharePoint requires an attribute mapping based on an attribute with a unique value for each user. Use the Administrative UI to create a pair of attribute mappings that defines how SiteMinder searches for user claims through the SharePoint people picker.
Note: For more information about the relationships between attribute mappings in an LDAP directory and the other components of your environment, see the LDAP examples chart.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
useridentifier
uid
The Modify User directory page appears.
smuserdisplayname
displayName
The Modify User directory page appears.
The attribute mappings are created.
The CA SiteMinder® Agent for SharePoint requires an attribute mapping that is based on an attribute with a unique value for each user. Use the Administrative UI to create a pair of attribute mappings that defines how SiteMinder searches for user claims through the SharePoint people picker.
Note: For more information about relationships between attribute mappings in an Active Directory server and other components of your environment, see the Active Directory examples table.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
useridentifier
sAMAccountName
The Modify User directory page appears.
smuserdisplayname
displayName
The Modify User directory page appears.
The attribute mappings are created.
You can also configure a claim that uses the groups to which the user belongs. Group mappings assign SharePoint permissions based on groups of users rather than individuals.
Some user directories define the groups of users by including an attribute in the record that contains the distinguished name (DN) of each group. The DN also appears as a cryptic value such as the following example:
entryDN=cn=grp12345,ou=Groups,dc=example,dc=com
Such claims are difficult to identify the name of the group associated with the value in the people picker.
The CA SiteMinder® Agent for SharePoint uses two attribute mappings and the groups setting you specify in the SharePoint connection wizard to search for groups by their display name. The CA SiteMinder® Agent for SharePoint retrieves both the display name of the group and DN of the group.
Both the display name and the DN of the group then appear in the people picker, for as shown in the following example:
cn=grp12345,ou=Groups,dc=example,dc=com(Sales Managers).
You can also create attribute mappings based on a group of users. Use the Administrative UI to create an attribute mapping that defines how SiteMinder searches for group claims through the SharePoint people picker.
Note: For more information about the relationships between attribute mappings in an LDAP directory and the other components of your environment, see the LDAP examples chart.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
smusergroups
description
The Modify User directory page appears.
The attribute mapping is created.
You can also create attribute mappings based on a group of users. Use the Administrative UI to create an attribute mapping that defines how SiteMinder searches for group claims through the SharePoint people picker.
Note: For more information about relationships between attribute mappings in an Active Directory server and other components of your environment, see the Active Directory examples table.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
smusergroups
name
The Modify User directory page appears.
The attribute mapping is created.
You can also configure any number of claims in Name=Value format. These name/value pairs are often named role claims.
Role claims are found by reading a configurable attribute on the user record in your user directory. You can then assign any name you want for the claim. For example, you can name a claim “userrole” and configure it to point to the “employeeType” attribute in your LDAP directory.
After authentication the CA SiteMinder® Agent for SharePoint creates a name/value pair such as “userrole=manager” for the claim. If the "employeeType" attribute for the authenticated user contains the value named manager, SharePoint allows the user access to the resource.
You can also create attribute mappings based on user roles. Use the Administrative UI to create an attribute mapping that defines how SiteMinder searches for role-based claims through the SharePoint people picker.
Note: For more information about the relationships between attribute mappings in an LDAP directory and the other components of your environment, see the LDAP examples chart.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
userrole
employeeType
The Modify User directory page appears.
The attribute mapping is created.
You can also create attribute mappings based on user roles. Use the Administrative UI to create an attribute mapping that defines how SiteMinder searches for role-based claims through the SharePoint people picker.
Note: For more information about relationships between attribute mappings in an Active Directory server and other components of your environment, see the Active Directory examples table.
Follow these steps:
A list of user directory connections appears.
The Modify User directory page appears.
The create attribute mapping page appears.
userrole
countryCode
The Modify User directory page appears.
The attribute mapping is created.
If you are not the user who installed or configured SharePoint, you need one of the following privileges to run the Claims Provider installer:
If you are installing your Claims provider on a new SharePoint farm, install the claims provider on your SharePoint central administration server. If you add any additional SharePoint servers to your farm later, install the claims provider on each SharePoint server you add.
Follow these steps:
ca-spclaims-version-win64.exe
The installation program starts.
The Claims provider is successfully installed.
Follow these steps:
The Central Administration>System Settings page appears.
The Central Administration>Solution Management page appears and the status of the Claims Provider is shown as Deployed.
|
Copyright © 2014 CA.
All rights reserved.
|
|