I am trying to get client certificate claims authentication working with SharePoint 2019 (on premise) for users who don't have Active Directory accounts.
Internal users already authenticate to SharePoint with forms authentication mapping to an AD user and their claims flow through to SharePoint. But now there will be a lot of external users who will have client certificates (X.509), but no AD account to map to.
I have gotten the IIS setup configured so SharePoint is asking for a client certificate and tries to authenticate with the one selected, but that's where I've hit a wall.
I am thinking the solution will involve some custom .NET code that validates the client certificate by checking some of the certificate values and that the topmost root certificate in the chain matches what is expected with a thumbprint or an issuer.
Once the client certificate has been validated, I can map to a generic AD user (think HR department or Accounting department), then somehow push some claims and authentication stuff to SharePoint.
I am using a SharePoint claims viewer web part to see the current user's claims once authenticated to know where the claim came from and what value it has, so I should be able to compare a forms auth login to a client certificate login when this is done.
My questions are:
- Is this solution concept the correct approach? If not, what's a better way to think about this?
- How do I build the custom authentication code (is that a membership provider, a custom STS, a custom claims provider)? Are there SharePoint 2019 templates out there for interfaces and events SharePoint expects to invoke?
- How do I deploy the custom authentication code into SharePoint?
