Sharepoint

logo

Presentation

SharePoint is a web-based collaborative platform that integrates natively with Microsoft Office.

It can be configured to authenticate users with OpenID Connect.

New in version 2.0.16: Because Sharepoint requires support for the OAuth 2.0 Form Post Response Mode feature, it only works starting with LemonLDAP::NG 2.0.16 and above

Warning

Configuring Sharepoint for OpenID Connect is a complex operation which requires some familiarity with Microsoft products, and a good knowledge of OpenID Connect. This documentation is only meant to help you configure LemonLDAP::NG to work with Sharepoint, but is not a complete, up-to-date walkthrough.

Configuration

LL:NG

Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server.

Make sure you have generated a set of signing keys in OpenID Connect Service » Security » Keys

The signing public key must be in BEGIN CERTIFICATE format, check the OIDC certificate conversion instructions for details if you are currently using a public key in BEGIN PUBLIC KEY format.

Add a Relaying Party with the following configuration:

  • Options » Basic » Client ID : choose a client ID, such as my_client_id
  • Options » Basic » Public client : set to Enabled
  • Options » Basic » Client Secret : leave empty
  • Options » Basic » Allowed redirection address : https://spsites.contoso.local/ (adjust to your own URL)
  • Options » Advanced » Force claims to be returned in ID Token : On
  • Options » Security » ID Token Signature Algorithm : RS256

Define Scope values content:

  • email => http://schemas.xmlsoap.org/claims/CommonName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Define exported attributes:

  • http://schemas.xmlsoap.org/claims/CommonName => cn (or LemonLDAP variable containing the common name)
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname => givenName (or LemonLDAP variable containing the given name)
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname => sn (or LemonLDAP variable containing the surname)
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress => mail (or LemonLDAP variable containing the email)

Sharepoint

Refer to the Microsoft Sharepoint OpenID Connect documentation for instructions.

You do not need an Azure AD or Azure ADFS, so you can skip the steps regarding Azure AD/ADFS. You should not need to configure the identity provider manually. If you use LemonLDAP 2.0.16 and above, with a certificate as your OIDC signing key, the OpenID Connect JWKS document should contain the x5c field expected by sharepoint.

You can use the following values in the Powershell scripts:

  • $metadataendpointurl = "https://auth.example.com/.well-known/openid-configuration" (adjust to your LemonLDAP::NG domain)
  • $clientIdentifier = "my_client_id" (chosen above)