Configuration example: Microsoft Sharepoint SE integration with OIDC Hybrid Flow and Form Post

This article explains how to integrate Microsoft Sharepoint SE with the Airlock IAM OIDC Hybrid Flow. This setup allows end-users to be authenticated by Airlock IAM and then access Sharepoint SE without having to authenticate themselves again.

The instructions have been tested on Microsoft Sharepoint SE 2019 and may be different for other versions.

Overview

  • To use Airlock IAM as the identity provider and then access Sharepoint SE using OIDC, the following steps are required:
  • Configure a user authentication flow in IAM.
  • Configure IAM as an OIDC authorization server (AS).
  • Configure Sharepoint SE as OIDC relying party (client) in the AS.
  • Enable the OIDC hybrid flow with special settings for Sharepoint SE.
  • Configure Sharepoint SE for access with OIDC.

This article focuses on the latter two points. It assumes that an authentication flow and the OIDC authorization server are set up and that Sharepoint SE has been configured as a relying party (client).

IAM configuration: OIDC Hybrid Flow

Sharepoint SE requires the AS to support the OIDC hybrid flow in a particular way.

  1. Set up an AS supporting the OIDC Authorization Code / Hybrid Flow following Grants and flow configuration overview. Don't forget to configure Sharepoint as a relying party (client).
  2. To configure the details to work with Sharepoint SE, go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> your AS >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code / Hybrid Flow. Open the property group Hybrid Flow.
  3. Check Enable Hybrid Flow to enable the hybrid flow feature.
  4. In property Hybrid Flow ID Token, add an OpenID Connect ID Token plugin and configure it. If the claim email is included, Sharepoint will use it to select the correct user. Other claims may work as well.
  5. Go back to the OIDC Authorization Code / Hybrid Flow configuration and open the property group Advanced Settings and open the Response Modes plugin.
  6. In the Hybrid Flow section, enable Allow "form_post".
  7. The Hybrid Flow in the AS is now set up to work with Sharepoint SE.
  • Further information:
  • Sharepoint SE may return the redirect URI in multiple forms (capitalization, URL-encoding). It may, therefore, be necessary to whitelist the allowed redirect URI in multiple forms in the RC/client settings (Loginapp >> ​OAuth 2.0/OIDC Authorization Servers >> your AS >> ​Static Clients >> Your Sharepoint SE Client >> ​Redirect URIs​.
  • If the end-user logs out in Sharepoint SE, Sharepoint SE propagates the logout to Airlock IAM using the RP-initiated Logout protocol. At the time this article was written (IAM 8.2), Airlock IAM did not support RP-initiated Logout.
    • Consider the following hints to make it work anyway:
    • In Sharepoint SE, configure the regular Airlock IAM URL.
    • In Airlock IAM, go to Loginapp >> UI Settings >> Authentication & Authorization UIs >> On Logout.
    • Use the plugin Redirect On Logout and configure it as follows.
    • As Target, use a Parameter-based Target URI plugin.
    • In property Query Parameter URI Extractor use a Query Parameter URI Value Extraction plugin with Parameter Name post_logout_redirect_uri. In the Allowed URI Patterns list, specify the redirect URI of Sharepoint SE.