SPTrustedIdentityTokenIssuer
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Name of the SPTrustedIdentityTokenIssuer | |
| ClaimsMappings | Required | MSFT_SPClaimTypeMapping[] | Array of MSFT_SPClaimTypeMapping to use with cmdlet New-SPClaimTypeMapping | |
| Description | Required | String | Description of the SPTrustedIdentityTokenIssuer | |
| IdentifierClaim | Required | String | Identity claim type that uniquely identifies the user | |
| AuthorizationEndPointUri | Write | String | Specific to OIDC: specify the sign-in URL of the issuer | |
| ClaimProviderName | Write | String | Name of a claims provider to set with this SPTrustedIdentityTokenIssuer | |
| DefaultClientIdentifier | Write | String | Specific to OIDC: specify the client identifier of the issuer | |
| Ensure | Write | String | Present if the SPTrustedIdentityTokenIssuer should be created, or Absent if it should be removed |
Present, Absent
|
| MetadataEndPoint | Write | String | Uri of the metadata endpoint of the identity provider | |
| ProviderSignOutUri | Write | String | Specific to SAML: Sign-out URL | |
| Realm | Write | String | Specific to SAML: Default Realm that is passed to identity provider | |
| RegisteredIssuerName | Write | String | Specify the identity of the issuer | |
| SigningCertificateFilePath | Write | String | Specify the file path to the signing certificate if it is not stored in the local certificate store already | |
| SigningCertificateThumbprint | Write | String | Specify the thumbprint of the signing certificate, which must be located in certificate store LocalMachine\My | |
| SignInUrl | Write | String | Specific to SAML: URL of the identity provider where user is redirected to for authentication | |
| SignOutUrl | Write | String | Specific to OIDC: specify the sign-out URL of the issuer | |
| UseWReplyParameter | Write | Boolean | Specific to SAML: WReply parameter allows SharePoint to specify the return URL to the 3rd party STS upon successful authentication |
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Display name of the incoming claim type | |
| IncomingClaimType | Required | String | URI of the incoming claim type | |
| LocalClaimType | Write | String | URI of the local claim type, not required if same as IncomingClaimType |
Type: Distributed Requires CredSSP: No
This resource is used to create or remove SPTrustedIdentityTokenIssuer in a SharePoint farm.
In SharePoint 2013 / 2016 / 2019, it can only be a SAML trust. In SharePoint Subscription, it can be a SAML trust or an OIDC trust.
For a SAML trust, the specific mandatory parameters are Realm, SignInUrl, and either SigningCertificateThumbPrint or SigningCertificateFilePath.
Either parameter SigningCertificateThumbPrint or SigningCertificateFilePath must be set. If specifying both SigningCertificateThumbPrint and SigningCertificateFilePath, the certificate thumbprint will be verified with the specified SigningCertificateThumbPrint. If the thumbprints doesn't match an exception will be thrown.
The SigningCertificateThumbPrint must be the thumbprint of the signing certificate stored in the certificate store LocalMachine\My of the server
Note that the private key of the certificate must not be available in the certiificate store because SharePoint does not accept it.
The SigningCertificateFilePath must be the file path to the public key of the signing certificate.
For an OIDC trust, the specific mandatory parameters are either MetadataEndPoint, or parameters AuthorizationEndPointUri, RegisteredIssuerName, DefaultClientIdentifier and SignOutUrl.
The ClaimsMappings property is an array of MSFT_SPClaimTypeMapping to use with cmdlet New-SPClaimTypeMapping. Each MSFT_SPClaimTypeMapping requires properties Name and IncomingClaimType. Property LocalClaimType is not required if its value is identical to IncomingClaimType.
The IdentifierClaim property must match an IncomingClaimType element in ClaimsMappings array.
The ClaimProviderName property can be set to specify a custom claims provider. It must be already installed in the SharePoint farm and returned by cmdlet
The default value for the Ensure parameter is Present. When not specifying this parameter, the token issuer is created.
This example deploys a trusted token issuer for SAML protocol, using a certificate in the local certificate store.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedIdentityTokenIssuer SampleSPTrust
{
Name = "Contoso"
Description = "Contoso"
Realm = "urn:sharepoint:spsites"
SigningCertificateThumbPrint = "F0D3D9D8E38C1D55A3CEF3AAD1C18AD6A90D5628"
SignInUrl = "https://adfs.contoso.local/adfs/ls/"
ProviderSignOutUri = "https://adfs.contoso.local/adfs/ls/"
IdentifierClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
ClaimsMappings = @(
MSFT_SPClaimTypeMapping
{
Name = "upn"
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
}
MSFT_SPClaimTypeMapping
{
Name = "group"
IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
)
ClaimProviderName = "LDAPCPSE"
Ensure = "Present"
PsDscRunAsCredential = $FarmAdminAccount
}
}
}This example deploys a trusted token issuer for SAML protocol, using a certificate in a file path.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedIdentityTokenIssuer SampleSPTrust
{
Name = "Contoso"
Description = "Contoso"
Realm = "urn:sharepoint:spsites"
SigningCertificateFilePath = "F:\Data\DSC\AdfsSigningCertificate.cer"
SignInUrl = "https://adfs.contoso.local/adfs/ls/"
ProviderSignOutUri = "https://adfs.contoso.local/adfs/ls/"
IdentifierClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
ClaimsMappings = @(
MSFT_SPClaimTypeMapping
{
Name = "upn"
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
}
MSFT_SPClaimTypeMapping
{
Name = "group"
IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
)
ClaimProviderName = "LDAPCPSE"
Ensure = "Present"
PsDscRunAsCredential = $FarmAdminAccount
}
}
}This example deploys a trusted token issuer for OIDC protocol, using a MetadataEndPoint.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedIdentityTokenIssuer SampleSPTrust
{
Name = "Contoso"
Description = "Contoso"
DefaultClientIdentifier = "11111111-1111-1111-1111-111111111111"
MetadataEndPoint = "https://adfs.contoso.local/adfs/.well-known/openid-configuration"
IdentifierClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
ClaimsMappings = @(
MSFT_SPClaimTypeMapping
{
Name = "upn"
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
}
MSFT_SPClaimTypeMapping
{
Name = "group"
IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
)
ClaimProviderName = "LDAPCPSE"
Ensure = "Present"
PsDscRunAsCredential = $FarmAdminAccount
}
}
}This example deploys a trusted token issuer for OIDC protocol, using manually specified parameters.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$SetupAccount
)
Import-DscResource -ModuleName SharePointDsc
node localhost
{
SPTrustedIdentityTokenIssuer SampleSPTrust
{
Name = "Contoso"
Description = "Contoso"
DefaultClientIdentifier = "11111111-1111-1111-1111-111111111111"
RegisteredIssuerName = "https://adfs.contoso.local/adfs"
AuthorizationEndPointUri = "https://adfs.contoso.local/adfs/oauth2/authorize"
SignOutUrl = "https://adfs.contoso.local/adfs/oauth2/logout"
SigningCertificateFilePath = "$SetupPath\Certificates\ADFS Signing.cer"
IdentifierClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
ClaimsMappings = @(
MSFT_SPClaimTypeMapping
{
Name = "upn"
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
}
MSFT_SPClaimTypeMapping
{
Name = "group"
IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
)
ClaimProviderName = "LDAPCPSE"
Ensure = "Present"
PsDscRunAsCredential = $FarmAdminAccount
}
}
}