Skip to content

SPTrustedSecurityTokenIssuer

Yorick Kuijs edited this page Dec 17, 2021 · 7 revisions

SPTrustedSecurityTokenIssuer

Parameters

Parameter Attribute DataType Description Allowed Values
Name Key String Name of the SPTrustedSecurityTokenIssuer
Description Write String Description of the SPTrustedSecurityTokenIssuer
RegisteredIssuerNameIdentifier Write String The security principal identifier of the security token issuer
RegisteredIssuerNameRealm Write String The realm of the security token issuer
SigningCertificateThumbprint Write String Specify the thumbprint of the signing certificate, which must be located in certificate store LocalMachine\My
SigningCertificateFilePath Write String Specify the file path to the signing certificate if it is not stored in the local certificate store already
MetadataEndPoint Write String URL that SharePoint will reach to download the JSON metadata file of the issuer
IsTrustBroker Write Boolean Specifies whether the trust is established with a self-issuer partner app
Ensure Write String Present if the SPTrustedSecurityTokenIssuer should be created, or Absent if it should be removed Present, Absent

Description

Type: Distributed Requires CredSSP: No

This resource is used to create or remove a SPTrustedSecurityTokenIssuer in a SharePoint farm.

It requires to specify either a MetadataEndPoint or a certificate.

The certificate can be specified by setting either parameter SigningCertificateThumbPrint or SigningCertificateFilePath. If specifying both SigningCertificateThumbPrint and SigningCertificateFilePath, the certificate thumbprint from the file will be verified with the specified SigningCertificateThumbPrint. If the thumbprints doesn't match an exception will be thrown when configuring the resource.

The SigningCertificateThumbPrint must be the thumbprint of the signing certificate stored in the certificate store LocalMachine\My of the server. If SigningCertificateFilePath is also specified it must be the same thumbrint as the certificate file.

The SigningCertificateFilePath must be the file path to the public key of the signing certificate.

Properties RegisteredIssuerNameIdentifier and RegisteredIssuerNameRealm compose the RegisteredIssuerName. If RegisteredIssuerNameRealm is ommitted, it will be set with the realm of the farm.

The default value for the Ensure parameter is Present. When not specifying this parameter, the token issuer is created.

Examples

Example 1

This example creates a trusted security token issuer using a signing certificate in a file path, and the SPAuthenticationRealm of the SharePoint farm.

Configuration Example
{
    param
    (
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $SetupAccount
    )

    Import-DscResource -ModuleName SharePointDsc

    node localhost
    {
        SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
        {
            Name                           = "HighTrustAddins"
            Description                    = "Trust for Provider-hosted high-trust add-ins"
            RegisteredIssuerNameIdentifier = "22222222-2222-2222-2222-222222222222"
            IsTrustBroker                  = $true
            SigningCertificateFilePath     = "F:\Data\DSC\FakeSigning.cer"
            Ensure                         = "Present"
            PsDscRunAsCredential           = $SetupAccount
        }
    }
}

Example 2

This example creates a trusted security token issuer using a signing certificate retrieved from its thumbprint, and the SPAuthenticationRealm of the SharePoint farm.

Configuration Example
{
    param
    (
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $SetupAccount
    )

    Import-DscResource -ModuleName SharePointDsc

    node localhost
    {
        SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
        {
            Name                           = "HighTrustAddins"
            Description                    = "Trust for Provider-hosted high-trust add-ins"
            RegisteredIssuerNameIdentifier = "22222222-2222-2222-2222-222222222222"
            IsTrustBroker                  = $true
            SigningCertificateThumbprint   = "123ABCFACE123ABCFACE123ABCFACE123ABCFACE"
            Ensure                         = "Present"
            PsDscRunAsCredential           = $SetupAccount
        }
    }
}

Example 3

This example creates a trusted security token issuer that will be configured using the metadata file of the ACS tenant.

Configuration Example
{
    param
    (
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $SetupAccount
    )

    Import-DscResource -ModuleName SharePointDsc

    node localhost
    {
        SPTrustedSecurityTokenIssuer HighTrustAddinsTrust
        {
            Name                 = "ACS Trust"
            Description          = "Trust with ACS tenant TENANT.onmicrosoft.com"
            MetadataEndPoint     = "https://accounts.accesscontrol.windows.net/TENANT.onmicrosoft.com/metadata/json/1"
            IsTrustBroker        = $true
            Ensure               = "Present"
            PsDscRunAsCredential = $SetupAccount
        }
    }
}
Clone this wiki locally