Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Microsoft Dynamics CRM supports claims based authentication using the WS-Federation (Passive) protocol. Typically, claims are configured with ADFS as the Service Provider to handle authentication requests with the claims provider. Optionally, CRM can use a custom Security Token Service (STS) in order to enable federated authentication. The WSO2 Identity Server provides a secure token service by default. In order to support using the Identity Server with CRM, a custom metadata file needs to be generated and it should be accessible to the CRM claims configuration wizard, which will give CRM the STS passive endpoint and private key for signing of claims. Microsoft Dynamics CRM can be setup with internal claims based authentication, or further secured for external claims based authentication as an Internet Facing Deployment (IFD).

Internet Facing Deployment (IFD) means that the functionality of the application is externally exposed and is outside of your local network. This is used by enterprises to set up their deployment to allow their employees to access the application away from work. Using an Internet Facing Deployment changes the URL structure CRM uses to load organizations, and thus has an effect on the settings required in the Identity Server.

...

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider.
  4. Expand the Inbound Authentication Configuration section followed by the WS-Federation (Passive) Configuration section.
  5. Enter an appropriate value for the Passive STS Realm as explained above.
  6. Expand the Claim Configuration section. Claims must be configured in order to log the requester into CRM as the correct user. Microsoft Dynamics CRM expects two specific claims returned from the STS. They are as follows.

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    In order to retrieve these values from WSO2, map the local claim value to the CRM value. In the Subject Claim URI, select the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claim. This example assumes that the http://wso2.org/claims/logonname contains the username field and the https://wso2.claims/upn contains a DOMAIN\username or username@domain.com formatted field that matches up to a username that exists in the CRM organization that is being accessed.

  7. Click Update.

...

In order to authenticate with a security token service, CRM expects federation metadata that contains specific details about the service. It requires the certificate that the STS uses to sign the responses as well as the passive STS endpoint for the WSO2 server, in addition to the claims expected. A sample file can be found inside <IS_HOME>/repository/deployment/server/webapps/mex directory. This file needs to be hosted somewhere accessible to the CRM server. For the purposes of testing this scenario, you can add it to the wwwroot folder for easy access.

Once the metadata XML is in place, and assuming all the certificates have been placed correctly on the servers if they differ between the Identity Server and CRM, claims based authentication can be enabled from the CRM deployment wizard. The federation metadata URL should point to the file that was created above.

...