Hello,
I’m currently looking into the possibility to configure a SharePoint 2013 web application to authenticate a user using a client certificate instead of a user/password.
I already found a TechNet article (https://technet.microsoft.com/en-us/library/gg491215.aspx) which explains that SharePoint doesn’t support this natively but that you can configure ADFS to do this. It gives you some links on how to do this but when you look at those links, they just tell you how you can configure ADFS for windows authentication. Useless!
I’m not an ADFS expert but I already succeeded in setting up an ADFS 2.0 server which is functioning. So, that’s not the issue.
As I understand, there are some steps you need to do:
– Change the local authentication type order to TlsClient in the web.config of ADFS
– Set up a relying trust party in ADFS
– Register a SPTrustedIdentityTokenIssuer in SharePoint
– Configure the SharePoint webapplication to use this trusted Identity provider
These are the high-level steps but like with everyting… it’s all in the details. I already have a certificate installed on my client which is linked to my AD account.
And here’s my problem…
I cannot find ANY guidance on how to configure the relying trust party. I found a massive amount of posts and articles which explain how you can configure ADFS for SharePoint but they all are in the context of windows authentication. Nothing solid on client certificates authentication.
Some questions I have:
– What claim rules and transformations do you need to define in ADFS to work with a client certificate?
– What do you set as the claim mappings in SharePoint when you register your trusted identity token issuer?
– Has anyone actually done this in real life and care to share how it was done?
Any help is massively appreciated.
Bart
