Products: ActiveShareFS 2007 Standard: FAQ’s
Questions About SharePoint 2007 Configuration
- Where can I find a list of all groups for my SharePoint 2007 web application?
- Login to the SharePoint 2007 Web application as an Administrator. Now Go to Site Actions » Site Settings » People and Groups » Groups
- I have existing users pre-provisioned into our current SharePoint 2007 Web Application Server. Can these Users log in to this SharePoint server using old SharePoint credentials after Shibboleth and ASFS2007 is installed on the SharePoint 2007 server?
- Once ActiveShareFS 2007 and Shibboleth is enabled on a SharePoint 2007 Web Application, the web application can only authenticate users who have authenticated against a Shibboleth Identity Provider. Therefore, the pre-existing users will not be able to log in using their old SharePoint credentials.It is however possible to enable access for existing users into the SharePoint web application using the standard Windows/Active Directory authentication without going through Shibboleth and ActiveShareFS.
- How can I create a user that has Administrative privileges in a SharePoint 2007 Web Application secured by Shibboleth and ActiveShareFS 2007?
- This is enabled either by creating a mirror SharePoint 2007 server or by extending the current SharePoint web application. For more on this topic please contact your representative for details.
- By default, data from user profiles is shown in the People Search results, on the My Site and in the User Information list of MOSS and WSS sites. How is this user profile information kept up to date by SharePoint?
- The user profile store in MOSS 2007 contains information about users. User profiles can be created by importing users from a user account directory, or they can be created manually. In most environments Active Directory will be used as the source for creating user profiles. In the MOSS 2007 Shared Service Provider an LDAP import query can be configured that will create user profiles for accounts that are returned from Active Directory by the LDAP query.
The user profile imports can be scheduled to run on a regular basis and they can be either incremental or full.
Once a user profile is created additional information about the user can be added to the user profile properties by the user itself, an administrator, a Business Data Catalog data source or an LDAP directory.
By default data from user profiles is shown in the People Search results, on the My Site and in the User Information list of MOSS and WSS sites.
Keeping the information in the user information lists up to data is a task that is handled by the Profile Synchronization and the Quick Profile Synchronization timer jobs. By default the first job runs once every hour, the second one runs every couple of minutes and is incremental. The first time user data is replicated from the user profile to the user information list of a site a full update is needed. So the Profile Synchronization job needs to run in order to get the data replicated to the site and this may take up to an hour. If information about a user is already stored in the user information list and the information changes in the user profile it will be synchronized with the data in the site collection by the Quick Profile Synchronization job.
You can also kick off the profile synchronization jobs by running the stsadm sync command: stsadm -o sync
If you believe that information is not synced between the user profiles and the user information lists in one or more sites you can request a list of content databases that have not been synchronized for x number of days by using the following stsadm sync command: stsadm -o sync -listolddatabases
If one or more content databases show up in this list you can clean up the sync list so they can be added to the list again: stsadm -o sync -deleteolddatabases
You can also use the sync command to change the schedule for the synchronization job.
For more information you can refer to the following link: http://technet.microsoft.com/en-us/library/cc263196.aspx
Questions About Shibboleth and WAYF Configuration
- Do I need to pre-install and pre-configure Shibboleth SP and SharePoint 2007 servers before installing ActiveShareFS 2007?
- Yes, you are required to install and configure both the Shibboleth SP software and the SharePoint 2007 server before proceeding to install and configure the ActiveShareFS2007 product on the same server machine. Please refer to our ASFS2007 installation guide for more details
- How do I configure the “Where Are you From” (IDP Discovery Service) with ActiveShareFS2007?
- Place in the link to the “Where Are You From” application in the <Wayf> element within the <Config> element of the ASFS config file. Please review the installation guide or more details.
- Does the “Where Are You From” service have to reside on the same server as ActiveShareFS2007?
- No. The WAYF discovery service can reside anywhere on the network that is reachable both by the trusted SAML IDP (Identity Provider) servers and the Shibboleth enabled SharePoint server.
- Is it necessary to use the “Where Are You From” service if my SharePoint 2007 Shibboleth SP trusts only one specific Identity Provider?
- No. You can configure ASFS2007 to trust only one single SAML IDP server without going through a WAYF discovery service.
- What are the settings that I need to make if I want my SharePoint 2007 Shibboleth SP to trust a single specific Identity Provider?
- You can use the following URL: <hostname>/<ShibURL>?providerId=<providerId>&target=<hostname> where:
- <hostname> – Fully Qualified Domain name (should be preceded by https://)
- <ShibURL> – <HandlerURL><Location>
- <HandlerURL> – HandlerURL attribute of sessions element from shibboleth.xml
- <Location> – Location attribute from <SessionInitiator> element from shibboleth.xml
- What is the value of the WAYF element that I need to provide in the ASFS configurations?
- What is the value of the WAYF element that I need to provide in the ASFS configurations? The WAYF element of asfs.config file can look like this:
- If you are using a Discovery Service that conforms to the new protocol use the following URL:<DISCOVERY_SERVICE_URL>?entityID=<ENTITYID>&target=<TARGET>
- If you are using a Discovery Service that conforms to the old IDP Discovery protocol use the following URL:<DISCOVERY_SERVICE_URL>?providerId=<ENTITYID>&target=<TARGET>&shire=<SHIRE>
- If you are planning to avoid IDP Discovery and use a single IDP, use the following URL:<IDP_SSO_URL>?providerId=<ENTITYID>&target=<TARGET>&shire=<SHIRE>
Where the above terms have the following meanings:
- <DISCOVERY_SERVICE_URL> – URL of the Discovery Service (Where Are You From)
- <ENTITYID> – The entityID of your SP
- <TARGET> – URL where the control is passed on from the IDP. If you are creating a login folder called secure and your site fqdn is https://mysite.example.org, then the target parameter should be https://mysite.example.org/secure/ (Note the trailing “/”)
- <SHIRE> – Endpoint where a Shibboleth Session is created. For our example it looks like https://mysite.example.org/secure/Shibboleth session is created
- <IDP_SSO_URL> – SSO URL of an IDP as provided in the Location attribute of the Single Sign On Service element in the IDP’s metadata
Questions About ActiveShareFS 2007 Product Specifications
- Does ActiveShareFS 2007 have to be installed on the same server as the SharePoint 2007 Web Application server?
- Yes. ActiveShareFS2007 and Shibboleth SP software needs to reside on the same server as the SharePoint server. If there are multiple SharePoint servers in the server farm then both ActiveShareFS 2007 and Shibboleth SP software have to be installed on each of the SharePoint servers in the farm.
- What is the support for Client Integration when using ActiveShareFS 2007 with a SharePoint Web Application?
- ActiveShareFS2007 fully supports browser initiated WebDAV and Microsoft Office Client integration. Please consult your ActiveShareFS 2007 installation guide for details.
- What is the significance of each element in the ActiveShareFS 2007 configuration file?
- WAYF – Contains the location of the “Where Are You From”.
- Default Settings – Settings applicable to all Sites. This element can contain two optional elements Roles and Attributes.
- Sites – Contains information about site’s from which users are allowed. It contains at least one Site element.
- Site – Contains information about a particular site. The entityID attribute of this site must match the entityId of the Shibboleth Identity Provider against which a user is authenticating. A Site element has two child elements Roles and Attributes.
- Roles – Contains information about the Role mappings for all Sites (if child of Default Settings element) or a specific site (if child of Site element). The Roles element contains one or more Role elements.
- Role – Contains information about mapping of Shibboleth Attributes to SharePoint 2007 groups. It can contain one or more Group element. The name attribute of this element is the Shibboleth Attribute. Each value in the child Group elements is mapped to this Shibboleth role. If a particular role element is present in both Default Settings as well as Site elements (the value of the name attributes are same), the role mapping in the Site element overrides the mappings present in the Default Settings element.
- Group – Contains the name of a SharePoint 2007 group.
- Attributes – Contains information about mapping of Shibboleth user attributes to SharePoint 2007 user profile properties for all Sites (if child of Default Settings element) or a specific site (if child of Site element). It contains one or more Mossattribute elements.
- Mossattribute – Contains information about mapping of Shibboleth user attributes to SharePoint 2007 user profile properties. The value of this element signifies the Shibboleth User Attribute. The name attribute contains the SharePoint 2007 user profile property to be mapped to the Shibboleth User Attribute. The value of this element can be any one of the following:
- Primary Affiliation
If a particular Mossattribute element is present in both DefaultSettings as well as Site elements (the value of the name attributes are same), the role mapping in the Site element overrides the mappings present in the DefaultSettings element
- Does ActiveShareFS2007 support both MOSS 2007 and WSS 3.0?
- Yes, however the mapping of User Profile attributes (obtained from an Identity provider) to SharePoint user profile properties is done only in MOSS 2007.
- Does ActiveShareFS 2007 protect multiple SharePoint web applications?
- Yes, ActiveShareFS 2007 can protect multiple SharePoint Web Applications. This can be achieved with Shibboleth SP configurations along with ActiveShareFS 2007 configurations. Please note that there is only one ActiveShareFS 2007 configuration file (asfs.config) for all SharePoint Web applications.
- Can ActiveShareFS2007 protect multiple site collections within the same web application?
- Yes, ActiveShareFS 2007 can protect multiple site collection within the same web application.
- What version of the Shibboleth SP software is required for ActiveShareFS2007 ?
- ActiveShareFS2007 works with both Shibboleth SP v1.3+ (SAML v1.1) and Shibboleth SP v2.0+ (SAML v2.0)
- Do I need to make any changes to the attribute acceptance policy in the Shibboleth SP?
- You can configure the Shibboleth SP AAP (Attribute Acceptance Policy) policies according to your access needs. ActiveShareFS2007 works with the AAP rules defined by your Shibboleth SP AAP.xml configurations. Please refer to your Shibboleth documentation to learn how to configure Shibboleth properly based on your access needs.
- I would like my internal users to login to SharePoint site URL https://example.myorg.edu/ using AD authentication and the external users to login to the same SharePoint site URL https://example.myorg.edu/ using Shibboleth authentication. Can this be implemented using ActiveShareFS 2007?
- You can implement this scenario using ActiveShareFS 2007 provided proper changes are made to the DNS, Firewalls, Networking and SharePoint configurations. As a result of these changes, Internal users will be able to access the site https://example.myorg.edu/ and the site should resolve to an internal IP address whereas external users will be able to access the same site URL (https://example.myorg.edu/) provided it resolves to a different external IP address. This way internal users are directed to internal AD auth while external users are directed to external Shib-auth. Also, please note that user accounts created in SharePoint using ActiveShareFS are different than user accounts created using AD authn. User accounts created in SharePoint using ActiveShareFS have the prefix “ShibbolethProvider”. Please contact email@example.com for additional details.
- Do you provide your own membership provider and role provider?
- ActiveShareFS ships with its own MemberShip Provider and Role Provider.
- Does the ActiveShareFS solution map the SAML role assertion to AD-groups or are they in some other way usable in MOSS 2007?
- The ActiveShareFS solution allows mapping of any SAML attribute to MOSS directly. SAML role attribute values that are received by ActiveShareFS from the IDP server are applied to business rules configured in ActiveShareFS. There is no AD in this solution.
- How does the ActiveShareFS solution affect the end user experience when using Microsoft Office tools?
- Our ActiveShareFS solution preserves browser initiated WebDAV and Microsoft Office Client integration. You can test drive this and other user experience on our live working ActiveShareFS enabled SharePoint demo site at https://asfs.9starresearch.com/ .
- What kind of business rules can be defined for auto-provisioning of users using ActiveShareFS? Where are the users provisioned? Is there something else that is provisioned?
- The ActiveShareFS solution enables automated moss user account provisioning based on wide variety of rules based on SAML attributes. For example:
- Allow/Deny specific SAML usernames to one or more MOSS sites/groups
- Allow/Deny specific SAML user roles, entitlements or any SAML attribute
- Synchronize user attributes from remote IDP with MOSS user profiles
- Access/Provisioning Rules are based on:
- EPPN, affiliation and entitlement attributes
- Roles based on role providers
Users are provisioned in SharePoint and the SharePoint User Profile properties are synchronized with SAML attributes received by ActiveShareFS.
In addition, ActiveShareFS allows custom configuration and mapping of SAML user attributes so that any SAML attributes released by an IDP and accepted by the Shibboleth SP can be mapped to any MOSS user profile properties.
- Does ActiveShareFS allow extensions using an API?
- Currently SAML attribute header names received by the Shibboleth SP can be altered to change attribute names. This is the only custom solution that can be implemented currently.
However, our support team works with customer team and provides any additional custom behavior or solution. We have implemented this for a number of our customers.
- What SAML2 profiles does ActiveShareFS support?
- Our solution leverages Shibboleth SP, so all profiles supported by Shibboleth SP are supported.
- Does ActiveShareFS support Attribute Request?
- Our solution leverages Shibboleth SP, so all profiles supported by Shibboleth SP are supported.
- Does ActiveShareFS support IdP discovery?
- ActiveShareFS can be configured in a way so that the flow goes through a Discovery/WAYF Service.
- Does your solution work in tandem with web access management solutions that provide SAML2 support? For example this way: External IDP > SAML2 proxy > ActiveShareFS?
- Our solution requires that Shibboleth SP and ActiveShareFS be installed on the same machine as SharePoint server.
- Why is your solution better that competing SAML2 SP’s?
- We don’t compete with any SAML2 SP, infact we leverage them. ActiveShareFS is not a SAML SP, it uses and leverages the Shibboleth SP software.