SharePoint People Picker Integration Kit

People Picker configuration

Steps

  1. Sign on to your SharePoint Central Administration site.

  2. Go to Central Administration > Security.

  3. Click Configure People Picker (under Users):

    A screen capture of the SharePoint Security menu

  4. Select the web application that’s configured to use the Partner STS (Trusted Identity Provider) for authentication from the list at the top of the page):

    A screen capture of the SharePoint configuration menu showing how to change the Web Application

  5. Configure the Claim Settings by selecting the Partner STS and specifying the Identity Claim Type.

    Identity Claim Type examples

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

  6. Add Lightweight Directory Access Protocol (LDAP) connections by selecting Add a new connection… in the LDAP Connection list, then fill out the LDAP connection settings as described in the following table:

    A screen capture of the SharePoint configuration menu showing LDAP settings
Field Description

Name

The name of this LDAP connection.

Server

The FQDN or IP address for the LDAP server. If using LDAPS, include the relevant port (for example, ldap.domain.com:636)

Secure Store App Id

The ID of your saved credentials in SharePoint’s Secure Store Service.

Username

The username of the LDAP account that will be used to bind to LDAP to query users or groups. If the Username field is left blank the LDAP query will be made using the SharePoint farm account.

Password

The password for the LDAP account.

Passwords are stored in plain text with the other configuration data.

Search Root

The root (BaseDN) for the LDAP search.

Identity Attribute

The Identity Attribute refers to the LDAP attribute used to populate the Identity Claim Type (which you selected in the Claim Settings at the top of the page). The LDAP attribute configured here must match the LDAP attribute used in PingFederate to populate that WS-Fed attribute.

For example, an Identity Attribute of userPrincipalName has an Identity Claim Type of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Group Identifier

Select either SID or Distinguished Name (DN) to be used as the group unique identifier.

DisplayName Attribute

LDAP attribute used to display user-friendly names in People Picker, such as displayName or givenName.

Server Time Limit (seconds)

The maximum number of seconds that the server waits for a search to complete.

Client Timeout (seconds)

The maximum number of seconds that the client waits for the server to return results.

Maximum number of objects to return

This refers to the maximum number of search results you want the People Picker to return.

You can set this to a number between 0 and 500. If you set this to 0, it uses the SharePoint default size limit of 1000 entries.

Minimum characters to start search

This refers to the minimum number of characters (letters) an end user must type into the People Picker search window before the search starts to execute.

You can set this to a number between 4 and 10. If you set this to 0, it uses the SharePoint default setting of 3 characters.

Each LDAP connection you add here will only be enabled for the specific SharePoint web application you selected. If you want to add the same LDAP connection to multiple SharePoint web applications, you need to repeat the same configuration steps (4-5-6) for each SharePoint web application.

Filter to be used for search

Provide a custom LDAP query to be used for search. Leave this property blank to use the default query:

"(&(&(|(objectCategory=person)(groupType=-2147483646))(|(displayName={0}*)(sAMAccountName={0}*)(userPrincipalName={0}*)(cn={0}*)(mail={0}*))))"

Authentication Type

Specifies the authentication mechanism used when connecting to the LDAP server. This corresponds to the System.DirectoryServices.AuthenticationTypes enumeration.

Include Secure Flag

When selected, the Secure flag is applied in addition to the selected authentication type. This instructs the underlying Windows security provider to negotiate the most secure available authentication mechanism (typically Kerberos or NTLM).

Enable this option when connecting over LDAPS (port 636) or when the directory server requires authenticated binds.

If Encrypt Connection using SSL/TLS is also enabled and the connection isn’t configured for trusted (pass-through) authentication, the Secure flag is automatically stripped to avoid incompatibility between Kerberos and explicit credentials over SSL.

Encrypt Connection

When selected, the connection to the LDAP server is encrypted using SSL/TLS by applying the SecureSocketLayer authentication flag.

Use this option when the LDAP server is configured to accept SSL connections (typically on port 636). Before enabling this option, ensure that:

  • The LDAP server’s certificate is trusted by the SharePoint server.

  • The LDAP server’s port configured above matches the server’s SSL listener port.