Sharepoint

Provide the new connection with a Name here. You can give this connection a short description in the box below.

Enter the User and Password in the Authentication area, this is the user you want to use to access SharePoint. The user entered here is solely needed to access the service metadata in the Portal Manager.

OAuth2/OpenID Connect (from Intrexx 8 with Online Update 05)

The method OAuth2 supports servers that require an OAuth2 authorization for users. Should the service support an auto approval of the user, the login of a user can be specified here for the metadata. If this isn't possible, the metadata document must first of all be saved as a local file and stored in the Intrexx OData configuration directory of the portal (File name: <SERVICE_GUID>.edmx).



Currently, the actual configuration of the OAuth2 authorization must be performed in the XML configuration file of the OData consumer directly (File <INTREXX_HOME>/org/portal/internal/cfg/odata/<SERVICEGUID>.xml). The following properties are relevant here:

<property name="authenticationType" value="OAUTH2"/> // Value must be OAUTH2
<property name="oauth2.scope" value="<OAuth Scopes>"/>
<property name="oauth2.authenticationScheme" value="<Schema>"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="<Grant Type>"/>
<property name="oauth2.clientAuthenticationScheme" value="<Client Schema>"/>
<property name="oauth2.userAuthorizationUri value="<Endpoint for the authentication>"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="<Redirect URL>"/>
<property name="oauth2.accessTokenUri" value="<Endpoint for the request of a token>"/>

In the following, excerpts of some example configurations for commonly used OAuth2 services are listed. Many of these services cannot be used as OData services. Despite this, the OAuth2 authentication can be used for direct HTTP accesses to the service in Groovy scripts.

Spring Security OAuth2 Identity Provider

<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
	<consumer description="" guid="30378A6DEDA601F69D525C7FCAFA7E12CEC114C8" name="SpringOAuth2">
		<property name="authenticationType" value="OAUTH2"/>
		<property name="additionalAuthenticationTypes" value=""/>
		<property name="userName" value="user"/>
		<property name="password" value="E54F94C0106981A41312FC14955B164C"/>
		<property name="servicePrincipalName" value=""/>
		<property name="isSharePointService" value="false"/>
		<property name="isSapService" value="false"/>
		<property name="sapUseDefaultClientId" value="false"/>
		<property name="sapClientId" value=""/>
		<property name="sapNetweaverGatewayHost" value=""/>
		<property name="sapNetweaverGatewayPort" value=""/>
		<property name="sapNetweaverGatewayUseSSL" value="false"/>
		<property name="sapSolutionManagerRegistered" value="false"/>
		<property name="authTypeSource" value=""/>
		<property name="authLoginSource" value=""/>
		<property name="authPasswordSource" value=""/>
		<property name="authSapClientIdSource" value=""/>
		<property name="oauth2.grantType" value="authorization_code"/>
		<property name="oauth2.clientAuthenticationScheme" value="form"/>
		<property name="oauth2.accessTokenUri" value="http://localhost:9999/uaa/oauth/token"/>
		<property name="oauth2.userAuthorizationUri" value="http://localhost:9999/uaa/oauth/authorize"/>
		<property name="oauth2.scope" value="openid"/>
		<property name="oauth2.clientId" value="acme"/>
		<property name="oauth2.clientSecret" value="acmesecret"/>
		<property name="oauth2.redirectUri" value="http://localhost/devportal/oauth2"/>
		<services>
			<service guid="E2050082619BBD33EEDEA97BDCC9223B25244191" name="SpringOauth2" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="http://localhost:8888/res/" useSSL="false"/>
		</services>
		<userMappings/>
	</consumer>
</odata>

Microsoft SharePoint 365 (OAuth2 via AzureAD)

<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
	<consumer description="" guid="A07EFC374A42F1A4C2C0BEDB60E5B99B2F89F660" name="SharePoint365">
        <property name="authenticationType" value="OAUTH2"/>
        <property name="oauth2.scope" value="Site.Read Web.Read List.Write"/>
        <property name="oauth2.clientId" value="CLIENT_ID"/>
        <property name="oauth2.grantType" value="authorization_code"/>
        <property name="oauth2.clientAuthenticationScheme" value="form"/>
        <property name="oauth2.authenticationScheme" value="form"/>
        <property name="oauth2.userAuthorizationUri" value="https://company.sharepoint.com/_layouts/15/OAuthAuthorize.aspx"/>
        <property name="oauth2.clientSecret" value="CLIENT_SECRET"/>
        <property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
        <property name="oauth2.accessTokenUri" value="https://accounts.accesscontrol.windows.net/TENANT_ID/tokens/OAuth/2"/>
        <property name="sharePoint.oauth2.resource" value=".../company.sharepoint.com@TENANT_ID"/>
        <property name="sharePoint.oauth2.realm" value="TENANT_ID"/>
        <services>
			<service guid="0EA408C8493C29D52921D6E78389A2A5CD1E2539" name="SharePoint365" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://company.sharepoint.com/_vti_bin/listdata.svc/" useEtag="true" useSSL="true"/>
        </services>
        <userMappings/>
	</consumer>
</odata>

Values shown in italics need to be modified. Further information can be found here: http://spshell.blogspot.de/2015/03/sharepoint-online-o365-oauth.html

OData

Authentication Types

In the Authentication area, select the Method required by the service: None for anonymous access, Basic for basic HTTP, Intrexx for Intrexx OData Services, Kerberos for services with integrated Windows authentication, Kerberos (HTTP Basic) for services with Windows or standard authentication, or X.509 for X.509 client certificates.

Basic Authentication

If you select the Basic method, the login information will be requested. The user entered here will only be needed to access the service metadata in the Portal Manager.

Intrexx Authentication

The Intrexx method is useful for services provided with the Intrexx OData Provider. Login information will be transferred encrypted in this way. For access to metadata, enter an Intrexx user and corresponding password here as well.

Integrated Windows Authentication

The options for Kerberos and Kerberos (HTTP Basic) are available for Windows environments to use Windows Integrated Authentication for Single Sign-On. The second option for HTTP Basic enables authentication for clients that do not support the Kerberos protocol.

Please note the following basic requirements for successful authentication with Kerberos:

• The Intrexx portal must be run with integrated authentication. You can enable this in the Users module via the Configuration menu.
• The users from your Active Directory must be correspondingly created in Intrexx. You can quickly and easily import these users in the Users module by selecting the menu item Users / Users and groups Import. Please make sure that at least one user is included in the Administrators group, so that the system may continue to be managed.
• The server on which Intrexx is installed requires the group policy Delegation.
• All clients and servers must be members of the same domain.
• In Internet Explorer, the security settings for the used zone must have the user authentication setting of Automatic logon with current user name and password. Additionally, the option for Enable integrated Windows authentication must be selected in the advanced settings.

Using Kerberos authentication provides you with true Single Sign-on for access by your users to the OData service that uses the integrated Windows authentication.

If a user cannot be authenticated, the second option will automatically use the standard login method.

For successful authentication, it is necessary to specify a Service Principal Name (SPN). The SPN contains information about the service that requires a Kerberos ticket to be generated for it. This ticket is required for the Internet Information Server used by the Intrexx portal server.

The SPN is generally constructed as follows:
http/< computer-DNS-name>@<KERBEROS_REALM>

Computer-DNS-name: Fully qualified host name (such as mycomputer.mycompany.com)
KERBEROS_REALM: Generally the domain in uppercase letters (such as MYCOMPANY.COM).

The SPN would therefore look like the following using the sample data:
http/mycomputer.mycompany.com@MYCOMPANY.COM

Authentication with X.509 Certificates

When you select the X.509 method, a certificate store in PKCS12 format can be uploaded. Later, each user can upload their own certificate store using a login form.

For authentication with X.509 certification, the root certificate of the authentication authority, which is responsible for issuing the client certificates, must previously have been imported into Intrexx. The root certificate can be saved using the Portal / Portal properties / Certificates menu. Restart the portal server afterwards.

OAuth2/OpenID Connect (from Intrexx 8 with Online-Update 05)

The method OAuth2 supports servers that require an OAuth2 authorization for users. Should the service support an auto approval of the user, the login of a user can be specified here for the metadata. If this isn't possible, the metadata document must first of all be saved as a local file and stored in the Intrexx OData configuration directory of the portal (File name: <SERVICE_GUID>.edmx).



Currently, the actual configuration of the OAuth2 authorization must be performed in the XML configuration file of the OData consumer directly (File <INTREXX_HOME>/org/portal/internal/cfg/odata/<SERVICEGUID>.xml). The following properties are relevant here:

<property name="authenticationType" value="OAUTH2"/> // Value must be OAUTH2
<property name="oauth2.scope" value="<OAuth Scopes>"/>
<property name="oauth2.authenticationScheme" value="<Schema>"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="<Grant Type>"/>
<property name="oauth2.clientAuthenticationScheme" value="<Client Schema>"/>
<property name="oauth2.userAuthorizationUri value="<Endpoint for the authentication>"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="<Redirect URL>"/>
<property name="oauth2.accessTokenUri" value="<Endpoint for the request of a token>"/>

In the following, excerpts of some example configurations for commonly used OAuth2 services are listed. Many of these services cannot be used as OData services. Despite this, the OAuth2 authentication can be used for direct HTTP accesses to the service in Groovy scripts.

Spring Security OAuth2 Identity Provider

<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
	<consumer description="" guid="30378A6DEDA601F69D525C7FCAFA7E12CEC114C8" name="SpringOAuth2">
		<property name="authenticationType" value="OAUTH2"/>
		<property name="additionalAuthenticationTypes" value=""/>
		<property name="userName" value="user"/>
		<property name="password" value="E54F94C0106981A41312FC14955B164C"/>
		<property name="servicePrincipalName" value=""/>
		<property name="isSharePointService" value="false"/>
		<property name="isSapService" value="false"/>
		<property name="sapUseDefaultClientId" value="false"/>
		<property name="sapClientId" value=""/>
		<property name="sapNetweaverGatewayHost" value=""/>
		<property name="sapNetweaverGatewayPort" value=""/>
		<property name="sapNetweaverGatewayUseSSL" value="false"/>
		<property name="sapSolutionManagerRegistered" value="false"/>
		<property name="authTypeSource" value=""/>
		<property name="authLoginSource" value=""/>
		<property name="authPasswordSource" value=""/>
		<property name="authSapClientIdSource" value=""/>
		<property name="oauth2.grantType" value="authorization_code"/>
		<property name="oauth2.clientAuthenticationScheme" value="form"/>
		<property name="oauth2.accessTokenUri" value="http://localhost:9999/uaa/oauth/token"/>
		<property name="oauth2.userAuthorizationUri" value="http://localhost:9999/uaa/oauth/authorize"/>
		<property name="oauth2.scope" value="openid"/>
		<property name="oauth2.clientId" value="acme"/>
		<property name="oauth2.clientSecret" value="acmesecret"/>
		<property name="oauth2.redirectUri" value="http://localhost/devportal/oauth2"/>
		<services>
			<service guid="E2050082619BBD33EEDEA97BDCC9223B25244191" name="SpringOauth2" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="http://localhost:8888/res/" useSSL="false"/>
		</services>
		<userMappings/>
	</consumer>
</odata>

Microsoft SharePoint 365 (OAuth2 via AzureAD)

<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
	<consumer description="" guid="A07EFC374A42F1A4C2C0BEDB60E5B99B2F89F660" name="SharePoint365">
        <property name="authenticationType" value="OAUTH2"/>
        <property name="oauth2.scope" value="Site.Read Web.Read List.Write"/>
        <property name="oauth2.clientId" value="CLIENT_ID"/>
        <property name="oauth2.grantType" value="authorization_code"/>
        <property name="oauth2.clientAuthenticationScheme" value="form"/>
        <property name="oauth2.authenticationScheme" value="form"/>
        <property name="oauth2.userAuthorizationUri" value="https://company.sharepoint.com/_layouts/15/OAuthAuthorize.aspx"/>
        <property name="oauth2.clientSecret" value="CLIENT_SECRET"/>
        <property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
        <property name="oauth2.accessTokenUri" value="https://accounts.accesscontrol.windows.net/TENANT_ID/tokens/OAuth/2"/>
        <property name="sharePoint.oauth2.resource" value=".../company.sharepoint.com@TENANT_ID"/>
        <property name="sharePoint.oauth2.realm" value="TENANT_ID"/>
        <services>
			<service guid="0EA408C8493C29D52921D6E78389A2A5CD1E2539" name="SharePoint365" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://company.sharepoint.com/_vti_bin/listdata.svc/" useEtag="true" useSSL="true"/>
        </services>
        <userMappings/>
	</consumer>
</odata>

Values shown in italics need to be modified. Further information can be found here: http://spshell.blogspot.de/2015/03/sharepoint-online-o365-oauth.html

Microsoft Outlook Online (only http, no OData)

<property name="authenticationType" value="OAUTH2"/> // Value must be OAUTH2
<property name="oauth2.scope" value="https://outlook.office.com/mail.read"/>
<property name="oauth2.authenticationScheme" value="form"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.userAuthorizationUri value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="http://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://login.microsoftonline.com/common/oauth2/v2.0/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="Outlook" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://outlook.office.com/api/v2.0/me/messages" useSSL="true"/>
</services>

GoogleMail (only http, no OData)

<property name="authenticationType" value="OAUTH2"/> // Value must be OAUTH2
<property name="oauth2.scope" value="https://mail.google.com/"/>
<property name="oauth2.authenticationScheme" value="header"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="header"/>
<property name="oauth2.userAuthorizationUri value="https://accounts.google.com/o/oauth2/auth"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="http://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://accounts.google.com/o/oauth2/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="GMail Inbox" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://www.googleapis.com/gmail/v1/users/firstname.lastname@googlemail.com/messages/" useSSL="true"/>
</services>