SharePoint Pals
 | Sign In
Configuring ADFS as Authentication Provider For SharePoint 2013 Web Application
by Sathish Nadarajan 1 Oct 2013
SharePoint MVP
Today  :   3     Total  :    40115

In the actual production environment, the Authentication of the SharePoint site is not going to be Windows authentication in many scenarios. There are various third party authentication providers are available in the market. Since ADFS is one of Microsoft’s product, It is been widely used by many of the environment. Hence, let us see how to make the Authentication of our web application using ADFS 2.0.

The overall steps are as follows.

1. Installation and Configuration of ADFS 2.0.

2. Create the web application.

3. Adding the SharePoint WebApplication URL as Third Party Relying Party.

4. Export the ADFS Certificate and Copy the same into SharePoint Machine.

5. Create a Trusted Identity Token Issuer.

6. Edit SharePoint WebApplication Authentication.

7. Verify the setup by logging into the Site.

Let us see, each step individually.

1. Installation and configuration of ADFS 2.0.

We had seen about this in the previous article. Refer here to refresh. In our case, the URL of the ADFS Server is https://win2008R2/adfs/ls.

2. Create the Web Application.

This also, we had already discussed here. To make a Claims aware web application, we need to create an https enabled web application. In our case, the URL of the Web Application is and the site collection is /Sites/ClaimsBasedSite.

3. Adding the SharePoint WebApplication URL as Third Party Relying Party.

This topic also, covered in a separate article. But that URL is meant for the .Net provider Hosted Application. i.e., we need to make the .Net web application also as a claims aware web application. But in our case, now we are planning to add our SharePoint WebAppliclaiton. Hence the URL should be something like,

“” and

Let us do a fast recap by the screen shots.






This is where the actual difference comes. You can see the URL which I am giving. It is not the URL of the of the web application. It is appended with “_trust”.


Again here also, we need to add “” as the Relying Party trust Identifier”. (Ignore the screen shot as the port is 20004 for different purpose).





The claim rule are similar to that of the previous post. There is no much changes on it.

4. Export the ADFS Certificate and Copy the same into SharePoint Machine.

The next step would be exporting the ADFS Token Signing Certificate.

a. Open the ADFS Management Console. And Navigate to the Certificates Node.


b. Select the Token-signing Certificate and click “View Certificate”


c. On the Details Tab, click “Copy to File…”


d. The wizard will get opened. Follow the wizard as shown in the screen shot.









e. With this, the Certificate has been copied to file with an extension of CER. Copy the file and paste on the SharePoint Server.

5. Create a Trusted Identity Token Issuer.

Now, we need to create a Trusted Identity Token Issuer on the SharePoint Farm. For that, the certificate copied from the ADFS Server is required to be present on the SharePoint Server. Once it is copied, we can execute the below power shell script to create the “Trusted Identity Token Issuer”.


Add-PSSnapin "Microsoft.SharePoint.PowerShell"

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\ADFSCert.cer")

New-SPTrustedRootAuthority -Name "Token Signing Cert ADFSAuthenticatedSite" -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

$RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming



$ap1 = New-SPTrustedIdentityTokenIssuer -Name “XYZ” -Description “Test”-realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType

· The “Name” attribute describes which authentication provider a Web application is configured for.

· The “Realm” attribute defines the realm to be used by the trusted identity token issuer.

The “ImportTrustCertificate” attribute is what is passed to the token signing certificate copied from the AD FS server in this scenario.

· The “ClaimsMappings” attribute are the claims the trusted identity token issuer will use.

The “SignInUrl” is the URL that users should be redirected to authenticate with the IP-STS. In this scenario, users authenticate with the AD FS server by using Windows integrated security, so they are redirected to the /AD FS/ls subdirectory.

· The “IdentifierClaim” attribute instructs SharePoint Server which of the claims will be the claim used to identify users. In this scenario the e-mail address is used to identify a user.


With this, we successfully created our Trusted Identity Token Issuer. Let us see, how we can change the authentication provider of our SharePoint Web Application.

6. Edit SharePoint WebApplication Authentication.

a. Now, we created our TrustedIdenityTokenIssuer for SharePoint. Let us see, with the web application.

b. Go to the Central Administration.


c. Select the web application for which we need to change the Authentication Providers.


d. Prompted with the popup. Click the default.


e. Edit Authentication Popup will be shown.


In that, by Default, “Enable Windows Authentication” will be checked. Uncheck it and click “Trusted Identity Provider”. On the below, you can see the list of identity providers, which we created. Click that and Save.

f. That’s it. Now our Web Application is ready to get authenticated by ADFS 2.0.

7. Verify the setup by logging into the Site.

Now we can verify the authentication by login into the site. Type After entering the credentials, it will be redirected to https://win2008R2/ADFS/Ls/...... Once, it is authenticated properly, then it will come back to our web application.

8. Trouble shooting.

After following the entire steps, I was facing an issue with the ADFS Authentication. When trying to login to the site, we will be getting some weird exception like “ADFS Exception Occurred” . Normally, SharePoint itself, will not give any clear exceptions. Now again ADFS is also like that only. To see exactly what happens, login to the ADFS Server machine. And go to the EventViewer. On Application Logs, we can see an exception like “The same client browser session has made ‘6’ requests in the last ‘12’ seconds”. By doing some search in the internet, I found a useful link from Steve Psechka.

It was very useful and very clear about the problems. Hence, I am not repeating the points here. Let us get the extract alone. By executing the below script, I get rid of that exception.

#$sts = Get-SPSecurityTokenServiceConfig

#$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)

#$sts.UseSessionCookies = $true



The actual meaning for the above code can be identified from the above mentioned blog.

For our reference, I downloaded the article and the same has been attached with this post.

blog comments powered by Disqus

SharePoint Pals

SharePoint Pals, a community portal for SharePoint developers, Administrators and End Users. Let's join hands and share the point together.
Read this on mobile


Angular Js Training In Chennai
Advanced Angular Js training with real world developer scenarios
Angular Js, Web Api and Ionic for .Net Developers
All in one client side application development for .Net developers
Angular Js For SharePoint Developers
Get ready for the future. Its no more just C#

Get Connected

SharePoint Resources

SharePoint 2013 and 2010 Web Parts
Free Web Parts with Source Code for SharePoint Community

SharePoint 2013 Books and Tutorials
Collection of free SharePoint 2013 books and tutorials (eBooks, pdfs)

Supported By

Contribute your article and be eligible for a one month Free Subscription for Plural Sight. The Author of the most popular New Article (published in the previous month) will be awarded with a Free One month Plural Sight Subscription. Article can be sent to in a word document.

Related Resources

Recent Tweets

Twitter January 15, 00:25
How To Enable Target Value And Actual Value In #D3 Gauge Chart

Twitter January 15, 00:24
How To Open #SharePoint List Hyperlink Column In Modal #Popup Window

Twitter January 15, 00:24
Quick Introduction To #Asp.NetCore And It’s Features

Twitter January 15, 00:22
How To Configure #PerformancePoint Services To Use Secure Store In #SharePoint 2013

Twitter January 15, 00:21
How To Block Or Disable #Office365 Services

Follow us @SharePointPals
Note: For Customization and Configuration, CheckOutRecent Tweets Documentation