SSO for SharePoint Server (On-Premise)

Overview

Why SharePoint Server (On-Premise) Needs Modern SSO

Microsoft SharePoint Server on-premise remains a critical content management, intranet, and collaboration platform for organizations that cannot or choose not to migrate to SharePoint Online. While SharePoint Online benefits from Azure AD SSO natively, on-premise SharePoint is typically locked to Active Directory and ADFS for federated authentication. This creates problems for organizations using non-Microsoft IdPs (Okta, Google Workspace, Ping), organizations with multiple AD forests, and environments where ADFS infrastructure is aging or unwanted. OnePAM solves this by sitting in front of SharePoint as an identity-aware reverse proxy. It authenticates users against any SAML 2.0 or OIDC identity provider and injects trusted Windows or claims-based authentication tokens into SharePoint. This means you can use Okta, Google Workspace, Azure AD (without ADFS), or any modern IdP for SharePoint on-premise SSO — without modifying SharePoint farm configuration.

The Problem

Authentication Challenges with SharePoint Server (On-Premise)

These are the security and operational challenges organizations face when SharePoint Server (On-Premise) relies on its native authentication model.

ADFS Dependency

SharePoint on-premise SSO typically requires ADFS, which means additional infrastructure, certificates, and Windows Server licensing.

AD-Only Federation

SharePoint's built-in claims provider works best with Active Directory. Using non-Microsoft IdPs (Okta, Google) requires complex custom claims providers.

Multi-Forest Complexity

Organizations with multiple AD forests or merger/acquisition scenarios face complex trust relationships for SharePoint access.

Legacy SharePoint Versions

SharePoint 2013, 2016, and 2019 have varying levels of modern auth support, making consistent SSO across versions difficult.

Hybrid Complexity

Organizations with both SharePoint on-premise and SharePoint Online need consistent SSO across both, often with different IdP configurations.

ADFS Maintenance Burden

ADFS requires certificate renewals, WAP (Web Application Proxy) management, and ongoing security patching — a significant operational burden.

The OnePAM Solution

How OnePAM Adds SSO to SharePoint Server (On-Premise)

A step-by-step guide to deploying modern SSO for SharePoint Server (On-Premise) using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of your SharePoint Web Front End (WFE) servers.

OnePAM handles TLS termination and pre-authenticates all requests before they reach SharePoint. It replaces ADFS and WAP in the authentication chain.

2

Connect Any Identity Provider

Configure your IdP — Okta, Azure AD (without ADFS), Google Workspace, Ping, or any SAML/OIDC provider.

OnePAM supports any standards-compliant IdP, freeing you from the ADFS/AD dependency. Multi-IdP federation is also supported for merger/acquisition scenarios.

3

Map Users to SharePoint Identities

Define how IdP users map to SharePoint user profiles and claims identities.

OnePAM maps IdP attributes (email, UPN, groups) to SharePoint claims (Windows identity, FBA identity, or custom claims). Group-to-SharePoint-group mapping is automatic.

4

Inject SharePoint Authentication

OnePAM injects trusted authentication tokens (Windows auth headers or claims tokens) into SharePoint requests.

After IdP authentication, OnePAM establishes a trusted SharePoint session. SharePoint treats the user as authenticated via its standard claims pipeline — sites, libraries, and permissions work normally.

5

Monitor and Secure

Apply access policies per SharePoint site collection, enforce MFA, and enable comprehensive audit logging.

Every SharePoint access is logged with full IdP context. Policies can be applied per site collection, per user group, or per content type. Session recording captures the full web session.

Business Impact

Benefits of SSO for SharePoint Server (On-Premise)

Measurable business outcomes from deploying OnePAM SSO in front of SharePoint Server (On-Premise).

Eliminate ADFS

Remove ADFS servers, WAP proxies, and the associated certificate management, patching, and operational overhead.

Zero ADFS infrastructure

Any IdP for SharePoint

Use Okta, Google Workspace, Ping, or any SAML/OIDC provider for SharePoint SSO — no Active Directory dependency required.

IdP freedom

Consistent Hybrid SSO

Provide the same SSO experience for SharePoint on-premise and SharePoint Online using a single IdP configuration.

Unified experience

Multi-Forest Support

Handle multiple AD forests, merger scenarios, and multi-tenant environments with a single OnePAM deployment.

Simplify M&A

Legacy Version Support

SSO for SharePoint 2013, 2016, 2019, and Subscription Edition with consistent behavior across all versions.

All SP versions supported

Reduced Attack Surface

Remove ADFS endpoints from the internet, eliminate WAP exposure, and reduce the Windows Server footprint.

Fewer attack vectors

SSO Features

SharePoint Server (On-Premise) SSO Capabilities

Every feature needed to provide enterprise-grade SSO for SharePoint Server (On-Premise).

SAML 2.0 & OIDC SSO for SharePoint on-premise

Windows Authentication header injection

Claims-based authentication support

Multi-IdP federation (Okta, Azure AD, Google, Ping, etc.)

Per-site-collection access policies

SharePoint group mapping from IdP groups

Support for SharePoint 2013, 2016, 2019, SE

Hybrid SharePoint Online + on-premise SSO

Session recording and audit logging

MFA enforcement for document access

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end encryption with SharePoint WFE

Claims token signing and encryption

Per-site access policies and IP restrictions

Device compliance checks before SharePoint access

DLP-aware session monitoring

Automatic session termination on IdP sign-out

Real-World Scenarios

SharePoint Server (On-Premise) SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for SharePoint Server (On-Premise).

1

Enterprises replacing ADFS with modern IdP for SharePoint SSO

2

Organizations using Okta or Google Workspace needing SharePoint on-premise access

3

Companies with multi-forest AD needing unified SharePoint authentication

4

Government agencies requiring PIV/CAC authentication for SharePoint

5

Hybrid environments with both SharePoint on-premise and SharePoint Online

6

M&A scenarios where acquired companies need SharePoint access via their own IdP

Frequently Asked Questions

SharePoint Server (On-Premise) SSO FAQ

Common questions about deploying OnePAM SSO for SharePoint Server (On-Premise).

Can OnePAM completely replace ADFS for SharePoint?

Yes. OnePAM replaces ADFS and WAP for SharePoint authentication. It handles federation with any SAML/OIDC IdP and injects trusted authentication into SharePoint without requiring ADFS infrastructure.

Which SharePoint versions are supported?

OnePAM supports SharePoint 2013, 2016, 2019, and Subscription Edition. Both classic and modern experience pages are supported.

Does SharePoint see the correct user identity?

Yes. OnePAM injects the correct Windows identity or claims identity into SharePoint. All SharePoint permissions, site access, and personalization work exactly as configured — OnePAM only changes how the user authenticates.

Can we use non-Microsoft IdPs like Okta for SharePoint?

Yes — this is one of OnePAM's primary use cases for SharePoint. Okta, Google Workspace, Ping, OneLogin, and any SAML 2.0 / OIDC provider can authenticate users to SharePoint on-premise through OnePAM.

How does OnePAM handle SharePoint hybrid with SharePoint Online?

OnePAM handles on-premise SharePoint SSO while your IdP handles SharePoint Online SSO directly via Azure AD. Users get a consistent experience — same IdP, same credentials, same MFA — across both environments.