This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/sharepoint-se/index.md

377 lines
19 KiB
Markdown
Raw Permalink Normal View History

---
title: SharePoint Server SE
---
<span class="badge badge--secondary">Support level: Community</span>
## What is Microsoft SharePoint
> SharePoint is a proprietary, web-based collaborative platform that integrates natively with Microsoft 365.
>
> Launched in 2001, SharePoint is primarily sold as a document management and storage system, although it is also used for sharing information through an intranet, implementing internal applications, and for implementing business processes.
>
> -- https://en.wikipedia.org/wiki/SharePoint
> Organizations use Microsoft SharePoint to create websites.
>
> You can use it as a secure place to store, organize, share, and access information from any device.
> All you need is a web browser, such as Microsoft Edge, Internet Explorer, Chrome, or Firefox.
>
> -- https://support.microsoft.com/en-us/office/what-is-sharepoint-97b915e6-651b-43b2-827d-fb25777f446f
:::note
There are many ways to implement SSO mechanism within Microsoft SharePoint Server Subscription Edition.
These guidelines provides the procedure to integrate authentik with an OIDC provider based on Microsoft documentation.
(cf. https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad)
In addition, it provides the procedure to enable claims augmentations in order to resolve group memberships.
For all other integration models, read Microsoft official documentation.
(cf. https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/plan-user-authentication)
:::
:::caution
This setup only works starting with **authentik** version **2023.10** and Microsoft **SharePoint** Subscription Edition starting with the **Cumulative Updates** of **September 2023**.
:::
## Preparation
When you configure OIDC with authentik, you need the following resources:
1. A SharePoint Server Subscription Edition farm starting with CU of September 2023
2. An authentik instance starting with version 2023.10
3. (Optional) [LDAPCP](https://www.ldapcp.com/docs/overview/introduction/) installed on the target SharePoint farm
:::info
Ensure that the authentik and SharePoint Server clocks are synchronized.
:::
These guidelines use the following placeholders for the overall setup:
| Name | Placeholder | Sample value |
| -------------------------------------------------- | ------------------------------------ | -------------------------------------------------------------------------------------- |
| authentik Application Name | `auth.applicationName` | SharePoint SE |
| authentik Application Slug | `auth.applicationSlug` | sharepoint-se |
| authentik OIDC Name | `auth.providerName` | OIDC-SP |
| authentik OIDC Configuration URL | `auth.providerConfigURL` | https://authentik.company/application/o/sharepoint-se/.well-known/openid-configuration |
| authentik OIDC Client ID | `auth.providerClientID` | 0ab1c234d567ef8a90123bc4567890e12fa3b45c |
| authentik OIDC Redirect URIs | `auth.providerRedirectURI` | https://sharepoint.company/.\* |
| (Optional) authentik LDAP Outpost URI | `ldap.outpostURI` | ak-outpost-ldap.authentik.svc.cluster.local |
| (Optional) authentik LDAP Service Account | `ldap.outpostServiceAccount` | cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io |
| (Optional) authentik LDAP Service Account Password | `ldap.outpostServiceAccountPassword` | mystrongpassword |
| SharePoint Default Web Application URL | `sp.webAppURL` | https://sharepoint.company |
| SharePoint Trusted Token Issuer Name | `sp.issuerName` | Authentik |
| SharePoint Trusted Token Issuer Description | `sp.issuerDesc` | authentik IDP |
## authentik configuration
### Step 1: Create authentik OpenID Property Mappings
SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and be able to map incoming authentik OID Claims with Microsoft Claims.
Additional information from Microsoft documentation:
- https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens#validate-tokens
- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
#### Add an OpenID scope mapping for SharePoint
From the authentik Admin Dashboard:
1. Open **Customisation > Property Mappings** page from the sidebar.
2. Click **Create** from the property mapping list command bar.
3. Within the new property mapping form, select **Scope Mapping**.
4. Click **Next** and enter the following values:
- **Name**: SPopenid
- **Scope name**: openid
- **Expression**:
```python
return {
"nbf": "0", # Identifies the time before which the JWT can't be accepted for processing.
# 0 stand for the date 1970-01-01 in unix timestamp
"oid": user.uid, # This ID uniquely identifies the user across applications - two different applications signing in the same user receives the same value in the oid claim.
"upn": user.username # (Optional) User Principal Name, used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
}
```
5. Click **Finish**.
#### Add a profile scope mapping for SharePoint
From the authentik Admin Dashboard:
1. Open **Customisation > Property Mappings** page from the sidebar.
2. Click **Create** from the property mapping list command bar.
3. Within the new property mapping form, select **Scope Mapping**.
4. Click **Next** and enter the following values:
- **Name**: SPprofile
- **Scope name**: profile
- **Expression**:
```python
return {
"name": request.user.name, # The name claim provides a human-readable value that identifies the subject of the token.
"given_name": request.user.name, # Interoperability with Microsoft Entra ID
"unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
"preferred_username": request.user.username, # (Optional) The primary username that represents the user.
"nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
"roles": [group.name for group in request.user.ak_groups.all()], # The set of roles that were assigned to the user who is logging in.
}
```
5. Click **Finish**.
### Step 2: Create authentik Open ID Connect Provider
From the authentik Admin Dashboard:
1. Open **Applications > Providers** page from the sidebar.
2. Click **Create** from the provider list command bar.
3. Within the new provider form, select **OAuth2/OpenID Provider**.
4. Click **Next** and enter the following values:
- **Name**: `auth.providerName`
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-implicit-consent
:::note
use the explicit flow if user consents are required
:::
- **Redirect URIs / Origins**: `auth.providerRedirectURI`
- **Signing Key**: authentik Self-signed Certificate
:::note
The certificate is used for signing JWT tokens;, if you change it after the integration do not forget to update your SharePoint Trusted Certificate.
:::
- **Access code validity**: minutes=5
:::note
The minimum is 5 minutes, otherwise SharePoint backend might consider the access code expired.
:::
- **Access Token validity**: minutes=15
:::note
The minimum is 15 minutes, otherwise SharePoint backend will consider the access token expired.
:::
- **Scopes**: select default email, SPopenid and SPprofile
- **Subject mode**: Based on the User's hashed ID
5. Click **Finish**.
### Step 3: Create an application in authentik
From the authentik Admin Dashboard:
1. Open **Applications > Applications** page from the sidebar.
2. Click **Create** from the application list command bar.
3. Within the new application form, enter the following values:
- **Name**: `auth.applicationName`
- **Slug**: `auth.applicationSlug`
- **Provider**: `auth.providerName`
- (Optional) **Launch URL**: `sp.webAppURL`
- (Optional) **Icon**: https://res-1.cdn.office.net/files/fabric-cdn-prod_20221209.001/assets/brand-icons/product/svg/sharepoint_48x1.svg
4. Click **Create**.
### Step 4: Setup OIDC authentication in SharePoint Server
#### Pre-requisites
##### Update SharePoint farm properties
The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments
:::
```PowerShell
Add-PSSnapin microsoft.sharepoint.powershell
# Setup farm properties to work with OIDC
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$fileName = $rsaCert.key.UniqueName
#If you have multiple SharePoint servers in the farm, you need to export certificate by Export-PfxCertificate and import certificate to all other SharePoint servers in the farm by Import-PfxCertificate and apply the same permissions as below.
#After certificate is successfully imported to SharePoint Server, we will need to grant access permission to certificate private key.
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$fileName"
$permissions = Get-Acl -Path $path
#Please replace the <web application pool account> with the real application pool account of your web application.
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($env:computername)\WSS_WPG", 'Read', 'None', 'None', 'Allow')
$permissions.AddAccessRule($access_rule)
Set-Acl -Path $path -AclObject $permissions
#Then we update farm properties only once.
$f = Get-SPFarm
$f.Farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint
$f.Farm.Properties['SP-NonceCookieHMACSecretKey']='seed'
$f.Farm.Update()
```
##### SharePoint settings in case of SSL offloading
Update the SharePoint farm to accept OAuth authentication over HTTP.
The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
```PowerShell
Add-PSSnapin microsoft.sharepoint.powershell
$c = get-spsecuritytokenserviceconfig
$c.AllowOAuthOverHttp = $true
$c.update()
```
#### Create SharePoint authentication provider
The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments.
:::
```PowerShell
Add-PSSnapin microsoft.sharepoint.powershell
# OIDC Settings
$metadataendpointurl = "auth.providerConfigURL"
$clientIdentifier = "auth.providerClientID"
$trustedTokenIssuerName = "sp.issuerName"
$trustedTokenIssuerDescription = "sp.issuerDesc"
# OIDC Claims Mapping
## Identity claim: oid => defined within the Authentik scope mapping
$idClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/identity/claims/objectidentifier" -IncomingClaimTypeDisplayName "oid" -SameAsIncoming
## User claims mappings
$claims = @(
$idClaim
## User Roles (Group membership)
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::Role) -IncomingClaimTypeDisplayName "Role" -SameAsIncoming)
## User email
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::Email) -IncomingClaimTypeDisplayName "Email" -SameAsIncoming)
## User given_name
,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::GivenName) -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming )
## (Optional) User account name
#,(New-SPClaimTypeMapping ([System.Security.Claims.ClaimTypes]::NameIdentifier) -IncomingClaimTypeDisplayName "Username" -SameAsIncoming)
)
# Trust 3rd party identity token issuer
$trustedTokenIssuer = New-SPTrustedIdentityTokenIssuer -Name $trustedTokenIssuerName -Description $trustedTokenIssuerDescription -ClaimsMappings $claims -IdentifierClaim $idClaim.InputClaimType -DefaultClientIdentifier $clientIdentifier -MetadataEndPoint $metadataendpointurl -Scope "openid email profile"
#Note: Remove the profile scope if you plan to use the LDAPCP claims augmentation.
# Create the SharePoint authentication provider based on the trusted token issuer
New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $trustedTokenIssuer
```
#### Configure SharePoint web applications
From the Central Administration opened as a Farm Administrator:
1. Open the **Application Management > Manage web applications** page.
2. Select your web application `sp.webAppURL`.
3. Click **Authentication Providers** from the ribbon bar.
4. According to your environment, click on the target zone such as "Default".
5. Update the authentication provider form as following:
- Check **Trusted Identity Provider**
- Check the newly created provider named `sp.issuerName`
- (Optional) Set **Custom Sign In Page**: /\_trust/default.aspx
6. Click **Save**.
Repeat all steps for each target web applications that matches with `auth.providerRedirectURI`.
## (Optional) SharePoint enhancements
Objectives :
- Integrate SharePoint People Picker with authentik to search users and groups
- Augment SharePoint user claims at login stage
- Resolve user's membership
:::caution
[LDAPCP](https://www.ldapcp.com/docs/overview/introduction/) must be installed on the target SharePoint farm.
:::
### Step 1: Assign LDAPCP as claim provider for the identity token issuer
The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
:::caution
- Update placeholders
- Read all script's comments
:::
```PowerShell
Add-PSSnapin microsoft.sharepoint.powershell
$trustedTokenIssuerName = "sp.issuerName"
$sptrust = Get-SPTrustedIdentityTokenIssuer $trustedTokenIssuerName
$sptrust.ClaimProviderName = "LDAPCP"
$sptrust.Update()
```
### Step 2: Configure LDAPCP claim types
From the SharePoint Central Administration opened as a Farm Administrator:
1. Open **Security > LDAPCP Configuration > Claim types configuration** page.
2. Update the mapping table to match these value:
| Claim type | Entity type | LDAP class | LDAP Attribute to query | LDAP attribute to display | PickerEntity metadata |
| ------------------------------------------------------------- | ----------- | ---------- | ----------------------- | ------------------------- | --------------------- |
| http://schemas.microsoft.com/identity/claims/objectidentifier | User | user | uid | sn | UserId |
| LDAP attribute linked to the main mapping for object User | User | user | mail | | Email |
| LDAP attribute linked to the main mapping for object User | User | user | sn | | DisplayName |
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Group | group | cn | | DisplayName |
| LDAP attribute linked to the main mapping for object Group | Group | group | uid | | SPGroupID |
### Step 3: Create an authentik LDAP Outpost
From the authentik Admin Dashboard:
:::note
The following procedure apply to an authentik deployment within Kubernetes.
For other kinds of deployment, please refer to the [authentik documentation](https://goauthentik.io/docs/).
:::
1. Follow authentik [LDAP Provider Generic Setup](https://version-2023-10.goauthentik.io/docs/providers/ldap/generic_setup) with the following steps :
- **Create User/Group** to create a "service account" for `ldap.outpostServiceAccount` and a searchable group of users & groups
- **LDAP Flow** to create the authentication flow for the LDAP Provider
- **LDAP Provider** to create an LDAP provider which can be consumed by the LDAP Application
2. Open **Applications > Applications** page from the sidebar.
3. Open the edit form of your application `auth.applicationName`.
4. In the edit form:
- **Backchannel Providers**: add the LDAP provider previously created
5. Click **Update**.
### Step 4: Configure LDAPCP global configuration
From the SharePoint Central Administration opened as a Farm Administrator:
1. Open the **Security > LDAPCP Configuration > Global configuration** page.
2. Add an LDAP connection with th following properties:
- **LDAP Path**: LDAP://`ldap.outpostURI`/dc=ldap,dc=goauthentik,dc=io
- **Username**: `ldap.outpostServiceAccount`
- **Password**: `ldap.outpostServiceAccountPassword`
- **Authentication types**: check ServerBind
3. Augmentation - Check **Enable augmentation**
4. Augmentation - Select the Role claim "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
5. Augmentation - Check only "**Query this server**" for your `ldap.outpostURI`
6. User identifier properties:
- **LDAP class**: user
- **LDAP attribute**: uid
7. Display of user identifier results:
- Tick **Show the value of another LDAP attribute**: sn
8. Click on "**OK**"
_Note: The `ldap.outpostURI` should be the IP, hostname, or FQDN of the LDAP Outpost service deployed accessible by your SharePoint farm_.