Closed tbebekis closed 6 years ago
@tbebekis For sign on URL please use this pattern a. https://MyServer.MyCompany.com/_trust/default.aspx for Identifier use this urn:sharepoint:federation
For the inline documentation you should use the WS-Fed endpoint like this https://login.microsoftonline.com/
Yes, you can get the Azure AD Entity ID from the quick reference section.
@chetansriv Please update this article for the issues mentioned above.
Let's recap.
1. Section: Configure Azure AD single sign-on. Step 3: SharePoint on-premises Domain and URLs a. For Sign on URL: I type "https://MyServer.MyCompany.com/_trust/default.aspx" b. For Identifier (Entity Id): I type "urn:sharepoint:federation"
2. Section: Configure Azure AD single sign-on. Step 6: Configure SharePoint on-premises a. I click the Download Azure AD Signing Certificate. The downloaded certificate will be used with the $filepath/$cert variables in the PowerShell script.
3. Section: Configure Azure AD single sign-on. Step 8: Configure a new trusted identity provider in SharePoint Server 2016 a. For the $realm PowerShell script variable I use as value the value of Identifier (Entity Id) b. For the $wsfedurl PowerShell script variable I use as value the URL https://login.microsoftonline.com/my_tenant_directory_id/wsfed
Please provide a careful answer.
Thank you.
@tbebekis Step 3.a. should be the value of urn:federation:sharepoint everything else is correct. Apologies for my previous wrong answer for 3.a.
@jeevansd
It was not a wrong answer, I believe.
Searching this URN issue a little bit more Ι found that
The syntax of a URN is urn:NID:NSS see: https://en.wikipedia.org/wiki/Uniform_Resource_Name There are two more, optional, components in URN, right after NSS, not needed in our case.
NID (Namespace IDentifier) may include letters, digits, and -
NSS (Namespace Specific String) may include almost any character (slashes too as of 2017). The interpretation of NSS depends on the specified NID, which, in our case, means we use whatever we like.
NIDs are required to be registered with the IANA. But there is no entry regarding a "sharepoint" NID in IANA's registered URN namespaces. see: https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml I believe we may use whatever we want as our NID, and "sharepoint" is a good choise here.
So in the light of all the above, all the following
should work as long as the whole URN is a unique one.
Unless there is a particular preference in Azure AD's code. Is there such a preference?
Thank you again.
We updated the tutorial as requested.
There are many inconsistencies in this tutorial.
1. Section: Configure Azure AD single sign-on. Step 3: SharePoint on-premises Domain and URLs The existing image shows (and the text below it suggests) Sign On URL: https:///_trust/default.aspx
Identifier (Entity Id): urn:sharepoint:federation
where the actual reality is totally different. Please see the following image.
Please I need a clear answer. What do I use as Sign On Url? a. https://MyServer.MyCompany.com/_trust/default.aspx b. https://MyServer.MyCompany.com
What do I use as Identifier (Entity Id) a. urn:sharepoint:federation b. https://MyServer.MyCompany.com
2. Section: Configure Azure AD single sign-on. Step 6: Configure SharePoint on-premises Please take a look at the following image. This is what I get.
Issues here
a. I pressume this is an error in the Sign-On Service URL (red characters) Azure AD Single Sign-On Service URL : %metadata:wsFederationSignInUrl% ERROR! Is there any workaround to this? Can I use something like https://login.microsoftonline.com/<what here? my directory id?>/wsfed It would be nice though to have a reminder as to how to get my tenant directory id, e.g. Azure AD > Properties > Directory ID
b. Tutorial instructs to copy the "SAML Entity ID from the Quick Reference section". Why? Where do I need that? Do you mean the "Identifier (Entity ID)" value found in section "Configure Azure AD single sign-on"?
c. The "Azure AD SAML Entity ID" value that I have in Quick Reference section is a Url. Should I use that as "SAML Entity ID from the Quick Reference section" and give that as a realm, later in the PowerShell script where I define the trusted provider for SP?
I believe that someone should get the whole procedure, implement it, and document it again. And certainly I'll do that, once I'm done, for my own reference.
Thank you.
Document details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.