Connecting SharePoint People Picker to OneLogin Claims Provider

June 14th, 2017   /     /   product and technology

You probably know about SharePoint, a web-based service that integrates with Microsoft Office to create websites that store, organize, and share information for access from any device with a web browser. These can include internal HR forms, sales enablement guides, and many other types of information.

SharePoint was originally designed to work with on-premises Active Directory. Today, an increasing number of companies are moving their directories from Active Directory to the cloud, for a couple of reasons. First, to eliminate the hassle and complexity of maintaining on-premises Active Directory. Second, to connect to a broader range of directories including Google G Suite and SaaS HR apps like Workday.

To display a list of users to pick from, the People Picker queries the directory to which the user doing the picking is authenticated. That was easy enough for Microsoft to do when everyone used Active Directory as their user store, but as of SharePoint 2010, Microsoft enabled any trusted identity provider to authenticate users with Internet standards like SAML. And as you may have heard, we do that here at OneLogin for SharePoint!

Microsoft understood that allowing third-party identity providers would result in a People Picker with no people to pick. When this state occurs, instead of an error, the People Picker accepts whatever you type as a claim value. That’s certainly better than nothing, but not very useful. Seeing this, Microsoft opened up SharePoint with application programmers interfaces (APIs) to enable organizations to create custom components for authentication and access control.

Using SharePoint APIs, we built the OneLogin SAML 1.1 SharePoint Connector and now the OneLogin Claims Provider for SharePoint People Picker. As you might guess, you use the OneLogin Claims Provider for SharePoint People Picker to find and select users from your OneLogin account with whom you’ll securely share SharePoint resources.

The OneLogin Custom Claims Provider for SharePoint People Picker is a component that you easily plug into SharePoint. The component uses a search API at OneLogin to fetch a list of people from the OneLogin account or subdomain to which the authenticated user doing the sharing belongs.

Here’s how it works:

  1. You enter a value in the Find box of the People Picker control and click the search button (magnifying glass icon)
  2. The People Picker forwards the value you entered to the OneLogin Claims Provider
  3. The OneLogin Claims Provider prepares and sends a OneLogin API user search request
  4. The OneLogin Cloud process the search and returns the results
  5. The OneLogin Claims Provider receives results and passes to the People Picker for display

When you type the first three characters of a username (such as an e-mail address) into the textbox, the People Picker automatically searches for results that match the first three typed characters. You can then select from a drop-down list, which displays up to thirty suggested names.

You can configure OneLogin to sign users into Microsoft SharePoint 2010, 2013, or 2016 using OneLogin SAML 1.1 connector, and now you can enable the People Picker Claims Provider for SharePoint 2013 and 2016 to search for OneLogin users in your account to assign claims in the People Picker.

The benefit of integrating OneLogin Cloud Directory into SharePoint People Picker is increased user productivity and enhanced user management security. Users can easily share SharePoint web pages and other resources to give other users permission to access to the resources they need to do their job. And because OneLogin is the source of truth, when users leave, they are automatically removed from the SharePoint People Picker, making offboarding that much quicker and more reliable.

Need to integrate SharePoint into your cloud identity? Contact us so we can help.

About the Author

Gary Gwin is Director of Product at OneLogin focusing on enterprise touch points with OneLogin cloud services. Gary joined OneLogin in 2015 with the acquisition of what is now OneLogin WAM. Prior to joining OneLogin, Gary has spent 30 years creating and helping enterprise customers integrate various software solutions deployed on premises and in the cloud.

View all posts by Gary Gwin