Agent for SharePoint Guide › Configure SharePoint › Adding Claims to Trusted Identity Providers

Adding Claims to Trusted Identity Providers

SharePoint 2010 supports third-party identity providers. These identity providers authenticate and authorize users who request SharePoint resources. A SharePoint administrator configures a trusted identity provider for a SharePoint environment.

Claims are a form of attribute or role, that a user has. Each claim has a name to identify it, and a value that the trusted identity provider verifies by connecting to a user directory.

For example, you can configure claims that correspond to the SamAccountName attribute of an Active Directory server or a uid of an LDAP directory server.

You can add a claim to a CA SiteMinder® trusted identity provider at any time. The following illustration describes the process:

Flowchart showing process for adding claims to SiteMinder Trusted Identity Provider

To add a claim to a CA SiteMinder® trusted identity provider, follow these steps:

Verify that your Account has the Required Permissions

The user account with which you want to modify the CA SiteMinder® trusted identity provider requires certain permissions. Modify the permissions of your user account if it does not meet the following conditions:

An Administrator account.
A member of the Administrators group.

Add the following privileges to your account:

Local administrator on all SharePoint web front end (WFE) servers.
Read/Write access to the configuration database.

Open a SharePoint 2010 Management Shell Window on your SharePoint Central Administration Server

Add claims to your CA SiteMinder® trusted identity provider using the SharePoint 2010 Management shell.

Follow these steps:

Log in to your SharePoint Central Administration server.
Click Start, All Programs, Microsoft SharePoint 2010 Products, SharePoint 2010 Management Shell.
A SharePoint 2010 management shell command-line window appears.

Identify your Trusted Identity Provider

A SharePoint 2010 environment can have multiple trusted identity providers. Identify your CA SiteMinder® trusted identity provider before modifying any claims that are associated with it.

Follow these steps:

Enter the following command to list all of the trusted identity providers:
```
Get-SPTrustedIdentityTokenIssuer 
```
A list of trusted identity providers appears.
Locate your CA SiteMinder® trusted identity provider in the list.
Your CA SiteMinder® trusted identity provider is identified.

Add a Claim to your Trusted Identity Provider

Adding a claim to your CA SiteMinder® trusted identity provider involves several steps using the SharePoint 2010 Management Console. This example adds a claim for the last name of a user to the CA SiteMinder® trusted identity provider. Use this example as a guide to add any claim you want to your CA SiteMinder® trusted identity provider.

Follow these steps:

Enter the following command to assign the name of your CA SiteMinder® trusted identity provider to a variable:

$trutsed_identity_provider_variable_name = Get-SPTrustedIdentityTokenIssuer -Identity "name_of_siteminder_trusted_identity_provider"

Enter the following command to add a claim type that is based on the last name of a user:

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/lastname" -IncomingClaimTypeDisplayName "role" -LocalClaimType "http://schemas.xmlsoap.org/claims/lastname"

Enter the following command to associate the new claim type with your CA SiteMinder® trusted identity provider:
```
$map2 | Add-SPClaimTypeMapping -TrustedIdentityTokenIssuer $trutsed_identity_provider_variable_name
```
The new claim is added to your trusted identity provider.

Verify the New Claim Exists

You can verify the addition of the new claim to your CA SiteMinder® trusted identity provider. This example verifies the addition of a claim for the last name of a user.

Follow these steps:

Enter the following command to verify the presence of your new claim:
```
Get-SPTrustedIdentityTokenIssuer
```
A list of trusted identity providers appears.
Verify that new claim for your CA SiteMinder® trusted identity provider appears.

Add an Attribute Mapping for the New Claim

Add an attribute mapping for the new claim using the CA SiteMinder® Administrative UI. For this example, an attribute mapping links the claim, such as last name, to a specific attribute in your user directory. For both Active Directory servers and LDAP directories, map the Last Name claim to the sn attribute in your directory.

Follow these steps:

Log on to the CA SiteMinder® Administrative UI.
Click Infrastructure, Directory, User Directory, Modify User Directory.
A list of user directory connections appears.
Click the option button for your user directory, and then click Select.
The Modify User directory page appears.
Click Create.
The create attribute mapping page appears.
Verify that the Create a new object of type Attribute Mapping option button is selected, and then click OK.
Click the name field, and enter the name of the new claim. For example, if your new claim is Last Name, as shown in this example, enter the following text:
```
Last Name
```
Verify that the Alias option button is selected, and then click the Definition field.
Enter the directory attribute that you want to associate with the claim you added. For example, if your new claim is Last Name, as shown in this example, enter the following text:
```
sn
```
Click OK.
The Modify User directory page appears.
Click Submit.
The attribute mapping for the new claim is created.

Update the Affiliate Domain with a Response Attribute

Update the affiliate domain with a response attribute for your new claim. This update requires running the SharePoint connection wizard on the computer hosting your CA SiteMinder® Agent for SharePoint.

This procedure adds the mapping of the new claim to your Policy Server.

Follow these steps:

Navigate to the following directory:

Agent-for-SharePoint_home/sharepoint_connection_wizard

Do one of the following procedures:
- For Windows operating environments, right-click the executable and then select Run as administrator.
- For Solaris operating environments, enter the following command:
```
Solaris: sh ./ca-spconnect-version-sol.bin
```
- For Linux operating environments, enter the following command:
```
Linux: sh ./ca-spconnect-version-rhel30.bin
```
The wizard starts.
Click Next.
The Login Details screen appears.
Complete the following fields with the information from your existing CA SiteMinder® settings:

Policy Server Name

Specifies the Policy Server name or IP address.

Username

Specifies the Policy Server administrator username.

Password

Specifies the Policy Server administrator password.

Agent Name

Specifies the Agent-4x. The connection with the Policy Server is established using the details given in the Agent Name.

Shared Secret Key

Specifies the shared secret key that is associated with the Agent.
Click Next
The Select Action screen appears.
Select Edit a SharePoint Connection option.
Click Next.
The SharePoint Connection Properties screen appears.
Click Next until the Add Attributes screen appears.
Click the drop-down arrows and select the values for the new claim from the following lists:
Attribute
Specifies an attribute name for one of the following claim types:
- Group based
- Role based
For multivalued attributes, prefix FMATTR, as shown in the following example:

Example: (multivalued attributes) FMATTR:LastName
Claim Type

Specifies an attribute value in your directory that is associated with the specified attribute name.

Example: (Active Directory attribute value for LastName) sn.

Example: (LDAP Directory role-based claim) sn.
Click Add, and then click Next.
The attribute details are saved and the Commit Details screen appears.
Click Install in the Commit Details screen.
The Save Complete screen appears.
Click Done.
The partnership details are saved, the SharePoint Connection is modified, and the wizard closes.

Search for and Add Users using the New Claim

You can search for users to add to your SharePoint Policy for web application using the new claim. For example, if you added a claim for the Last Name attribute, you can search for users by entering their last names in the SharePoint people picker.

Follow these steps:

Click Start, Programs, Microsoft SharePoint 2010 Products.
The Central Administration home page appears.
Click Manage web applications, in the Application Management section.
The Web Applications Management page appears with a list of available web applications.
Click the web application name for which you want to add users.
The buttons on the ribbon become available.
Click User Policy on the ribbon.
The Policy for Web Application dialog appears.
Click Add Users.
The Select Zone dialog appears.
Verify that the Zone you want appears in the drop-down list, and then Click Next.
The Add Users dialog appears.
Click the Browse button, in the Choose Users section, below the Users text box.
The Select People and Groups – Webpage Dialog appears.
Enter a value that corresponds to the new claim. For example, if your new claim is Last Name, enter the last name of a user.
The right pane displays the search results with a list of users whose attributes match the value on which you searched.
Select the user and click Add.
The selected user is added.
(Optional) Repeat steps 8 and 9 to select additional users.
Click OK.
The Add Users dialog appears and displays the selected user.
Under Choose Permissions, click the permissions that you want to grant to the users.
Click Finish.
The selected users and permissions are added.