Microsoft Dynamics CRM supports claims based authentication using the WS-Federation (Passive) protocol. Typically, claims are configured with ADFS as the Service Provider to handle authentication requests with the claims provider. Optionally, CRM can use a custom Security Token Service (STS) in order to enable federated authentication. The WSO2 Identity Server provides a secure token service by default. In order to support using the Identity Server with CRM, a custom metadata file needs to be generated and it should be accessible to the CRM claims configuration wizard, which will give CRM the STS passive endpoint and private key for signing of claims. Microsoft Dynamics CRM can be setup with internal claims based authentication, or further secured for external claims based authentication as an Internet Facing Deployment (IFD).
Internet Facing Deployment (IFD) means that the functionality of the application is externally exposed and is outside of your local network. This is used by enterprises to set up their deployment to allow their employees to access the application away from work. Using an Internet Facing Deployment changes the URL structure CRM uses to load organizations, and thus has an effect on the settings required in the Identity Server.
...
- Sign in. Enter your username and password to log on to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider.
- Expand the Inbound Authentication Configuration section followed by the WS-Federation (Passive) Configuration section.
- Enter an appropriate value for the Passive STS Realm as explained above.
- Expand the Claim Configuration section. Claims must be configured in order to log the requester into CRM as the correct user. Microsoft Dynamics CRM expects two specific claims returned from the STS. They are as follows.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
In order to retrieve these values from WSO2, map the local claim value to the CRM value. In the Subject Claim URI, select the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
claim. This example assumes that thehttp://wso2.org/claims/logonname
contains the username field and thehttps://wso2.claims/upn
contains aDOMAIN\username
orusername@domain.com
formatted field that matches up to a username that exists in the CRM organization that is being accessed. - Click Update.
...