Skip to main content
Sign In   |   Help
 
Go SearchAdvanced Search
Home
Categories
Bloggers
www.pointbridge.com

View All Site Content

SharePoint 2010 Identity Delegation Part 2: Business Connectivity Services
By: Travis Nielsen | Posted: May 24, 2010 at 1:56 PM
Add Comment Add Comment | Share It Share It | Categories: Claims, Security, Windows Identity Foundation, Business Connectivity Services
5
Comments

In my last post, I demonstrated how to enable Windows Identity Foundation (WIF) on a WCF web service and configure it to require a SAML 1.1 “ActAs” token from a SharePoint 2010 server. In this post, I’ll demonstrate how this web service and the data it provides can be integrated with SharePoint 2010 in a manner that supports this security model.

Let’s start with a scenario where we need to surface the sales data stored a SQL database but we want to lock down what the user sees based on their role within the company. Ordinarily, you would have to either implement row-level security in SQL (difficult) or front-end the data using dimensional security using with something like Analysis Services (maybe a bit easier, but still a fair amount of work. Requires Kerberos). These aren’t terribly attractive options. Knowing this, we created a simple WCF service and configured it to be “claims aware” using Windows Identity Foundation (WIF). Since both SharePoint and WCF support WIF, we’d need to move forward with integration.

The component of SharePoint 2010 that will help us here is Business Connectivity Services (BCS). BCS is one of the service applications within SharePoint allows for integration with three types of data: .NET types, SQL data, and WCF services. And it turns out it’s a claims aware application…in a way no different from our custom web service. Microsoft has a nice slide that expresses what this support looks like:

image

In a nutshell, BCS ensures users are authenticated (using claims in this case) before accessing the External Content Type via a web part. It then brokers the connection to the back end resource. Authentication to the resource could happen in various ways; perhaps using a Trusted System account, Kerberos delegation, the Secure Store, or (wait for it!) claims. Let’s take a look at setting this up.

NOTE: If you want to follow along with this post in your own lab, be sure you review and implement Part 1 of this two-part series.

I’ll start by launching SharePoint Designer (SPD) 2010. After connecting to my extranet site, I create a new External Content Type called “Adventureworks Sales Data”.

image

Next, I’ll add a new connection with a data source type of: WCF Service.

image

In the WCF Connection window, the following settings are used:

  • Service Metadata URL: http://pbdev.com/WCFService/service.svc?wsdl
  • Service Endpoint URL: https://pbdev.com/WCFService/service.svc

image

Next SPD will validate the connection and add it to the list of data sources. We now have access to all the "get” and “set” methods offered by our web service. We kick off the process by adding a new External Content Type Operation by right-clicking GetCustomerById and selecting “New Read Item Operation”.

image

At the next window, we’ll define the “customerId” field as the identifier for the record by selecting the “Map to Identifier” checkbox.

image

We’ll do something similar on the next screen by highlighting CustomerId and clicking the “Map to Identifier” checkbox. We’ll also need to use the drop-down list box for “Identifier” to map it to our previous selection, which was “customerId” with a lower case “c”.

image

After clicking “Finish”, we need to add a new Read List operation so we can get all customers. This is done in a very similar manner as before.

image

The only thing we need to do in this case is to add the identifier mapping and select “customerId” as our identifier (lower-case “c” ).

image

We can now save the External Content type and at this point, it should look like the following:

image

We need to do some final configuration for our web service connection. This is done by clicking the “Adventureworks Web Service” link just to the right of “External System”. Two things need to be changed here: (1) Enable claims-based authentication and (2) Set the Impersonation Level to “Delegation”.

image

After saving everything, we’ll next need to add permissions to allow users to view the external content type (see step 5 in the above diagram). This is done by selecting “Manage Service Applications” in Central Admin, highlighting Business Data Connectivity Services, and clicking the Manage icon.

image

We will then see the external content type and can use the drop-down list box to get to “Set Permissions”

image

Since this is just a demo, I’m going to select the magnifying glass in the User Picker so I get the option for “All Authenticated Users”.

image

And I’ll grant “All Authenticated Users” “Execute” and “Set Permissions” rights.

image

Now, we should be able to load our list of customers from SharePoint.

image

To see what’s going on under the hood, open the WCF service in Visual Studio 2010 and set a breakpoint at line 37 or 38 of Service.cs.

image

You will be able to inspect either variable and see the user’s claims. In this example, you can see I’m accessing the list data using a federated account (OpenID) with a special user role of “Program Blue Contributor”.

image

Now that I have SAML 1.1 token delegation working, I can enhance the authorization logic within the web service to only return data relevant to users holding certain roles within the organization (“Program Blue” as an example).

  Comments   Add Comment   Share It  
  Your Name:
  Your Email: **will not be displayed
  Comment Title:
* Comments:
  If you cannot read the code, please
click here to get a new one. You won't
lose your comments by doing so.
* Security Code:
   
  
  
* Your Name:
* Your Email: **will not be displayed
* Recipient's Email:
* Subject:
  If you cannot read the code, please
click here to get a new one. You won't
lose your comments by doing so.
* Security Code:
  
  
  
http://www.outletuggbootscheap.com/
By: outletuggbootscheap | Posted: August 26, 2010 at 9:49 PM
We offer high quality and cheap Ugg Boots Ugg Boots for our customers. ugg boots canada Our online store can provide Ugg Boots for Women, Men and Children. uggs canada You can have a great selection here, buy ugg boots canada from our button UGG boots ugg boots bailey our height and UggSandals classic.http://www.outletuggbootscheap.com/
Hi
By: Amit | Posted: June 7, 2010 at 9:04 AM
I have a claim based Application with SQL Server as Provider. I have created a web part and deployed on Claim based web application and now I am able to retrieve the Claim sets with below code IClaimsPrincipal claimsPrincipal =Page.user as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; This is good, now I have a Custom WCF Service Hosted in _Vti_bin and Avaiable to Claim Based Application as Virtual Directory. So My question is : Can I Access claims same way as I am doing in Web Part as this WCF service is running under same context? Am I missing something or this approach is possible?
Business Connectivity Services
By: shazlovely | Posted: May 26, 2010 at 11:55 PM
This makes life difficult for any writer, but especially for one who was recently an editor. And even more so for one who was a writer/editor. For nearly two decades, I assigned myself stories, turned them in to my unwavering approval, and then got back to myself immediately regarding publication dates. Being your own man <a href="http://www.ccspquestions.com">ccsp</a> pales in comparison to being your own editor (which, among other things, allows for the former).
Claim
By: Pradeep | Posted: May 25, 2010 at 7:20 AM
Hi, I read your blogs post. However I could not find some info what I am looking for. I want to use SharePoint STS from an external Web Application Hosted out side SharePoint? My Question are below 1) How do I achive this? 2) is it possible to do this? My exact Scenerio is 1) I have a Web Service, which is Hosted on SharePoint Site 2) External Web APP is going to call this service with a Claim 3) so Web APP should get Claim from SharePoint STS before calling this APP?
SharePoint 2010 STS (IP) from WS (Claim Aware)
By: Pradeep | Posted: May 25, 2010 at 7:19 AM
Hi, I read your blogs post. However I could not find some info what I am looking for. I want to use SharePoint STS from an external Web Application Hosted out side SharePoint? My Question are below 1) How do I achive this? 2) is it possible to do this? My exact Scenerio is 1) I have a Web Service, which is Hosted on SharePoint Site 2) External Web APP is going to call this service with a Claim 3) so Web APP should get Claim from SharePoint STS before calling this APP?
 

 About Travis Nielsen
ArchitectTravis Nielsen is an architect and founding member of PointBridge. He has over 12 years of experience in the IT industry designing and implementing solutions for the Windows Server platform throughout... [more]

 Tag Cloud

 External Links

 ‭(Hidden)‬ Admin Links
 
Home | Categories | Bloggers | All Posts | Recent Posts | Search PointBridge Blogs
About Us | Contact Us | What’s New at PointBridge | www.pointbridge.com
© 2007 PointBridge. All rights reserved. | One North Franklin, Suite 2470, Chicago, Illinois 60606 | 312.334.1900 Terms of Use