Skip to main content
Sign In   |   Help
 
Go SearchAdvanced Search
Home
Categories
Bloggers
www.pointbridge.com

View All Site Content

SharePoint 2010 Identity Delegation Part 2: Business Connectivity Services
By: Travis Nielsen | Posted: May 24, 2010 at 1:56 PM
Add Comment Add Comment | Share It Share It | Categories: Claims, Security, Windows Identity Foundation, Business Connectivity Services
4
Comments

In my last post, I demonstrated how to enable Windows Identity Foundation (WIF) on a WCF web service and configure it to require a SAML 1.1 “ActAs” token from a SharePoint 2010 server. In this post, I’ll demonstrate how this web service and the data it provides can be integrated with SharePoint 2010 in a manner that supports this security model.

Let’s start with a scenario where we need to surface the sales data stored a SQL database but we want to lock down what the user sees based on their role within the company. Ordinarily, you would have to either implement row-level security in SQL (difficult) or front-end the data using dimensional security using with something like Analysis Services (maybe a bit easier, but still a fair amount of work. Requires Kerberos). These aren’t terribly attractive options. Knowing this, we created a simple WCF service and configured it to be “claims aware” using Windows Identity Foundation (WIF). Since both SharePoint and WCF support WIF, we’d need to move forward with integration.

The component of SharePoint 2010 that will help us here is Business Connectivity Services (BCS). BCS is one of the service applications within SharePoint allows for integration with three types of data: .NET types, SQL data, and WCF services. And it turns out it’s a claims aware application…in a way no different from our custom web service. Microsoft has a nice slide that expresses what this support looks like:

image

In a nutshell, BCS ensures users are authenticated (using claims in this case) before accessing the External Content Type via a web part. It then brokers the connection to the back end resource. Authentication to the resource could happen in various ways; perhaps using a Trusted System account, Kerberos delegation, the Secure Store, or (wait for it!) claims. Let’s take a look at setting this up.

NOTE: If you want to follow along with this post in your own lab, be sure you review and implement Part 1 of this two-part series.

I’ll start by launching SharePoint Designer (SPD) 2010. After connecting to my extranet site, I create a new External Content Type called “Adventureworks Sales Data”.

image

Next, I’ll add a new connection with a data source type of: WCF Service.

image

In the WCF Connection window, the following settings are used:

  • Service Metadata URL: http://pbdev.com/WCFService/service.svc?wsdl
  • Service Endpoint URL: https://pbdev.com/WCFService/service.svc

image

Next SPD will validate the connection and add it to the list of data sources. We now have access to all the "get” and “set” methods offered by our web service. We kick off the process by adding a new External Content Type Operation by right-clicking GetCustomerById and selecting “New Read Item Operation”.

image

At the next window, we’ll define the “customerId” field as the identifier for the record by selecting the “Map to Identifier” checkbox.

image

We’ll do something similar on the next screen by highlighting CustomerId and clicking the “Map to Identifier” checkbox. We’ll also need to use the drop-down list box for “Identifier” to map it to our previous selection, which was “customerId” with a lower case “c”.

image

After clicking “Finish”, we need to add a new Read List operation so we can get all customers. This is done in a very similar manner as before.

image

The only thing we need to do in this case is to add the identifier mapping and select “customerId” as our identifier (lower-case “c” ).

image

We can now save the External Content type and at this point, it should look like the following:

image

We need to do some final configuration for our web service connection. This is done by clicking the “Adventureworks Web Service” link just to the right of “External System”. Two things need to be changed here: (1) Enable claims-based authentication and (2) Set the Impersonation Level to “Delegation”.

image

After saving everything, we’ll next need to add permissions to allow users to view the external content type (see step 5 in the above diagram). This is done by selecting “Manage Service Applications” in Central Admin, highlighting Business Data Connectivity Services, and clicking the Manage icon.

image

We will then see the external content type and can use the drop-down list box to get to “Set Permissions”

image

Since this is just a demo, I’m going to select the magnifying glass in the User Picker so I get the option for “All Authenticated Users”.

image

And I’ll grant “All Authenticated Users” “Execute” and “Set Permissions” rights.

image

Now, we should be able to load our list of customers from SharePoint.

image

To see what’s going on under the hood, open the WCF service in Visual Studio 2010 and set a breakpoint at line 37 or 38 of Service.cs.

image

You will be able to inspect either variable and see the user’s claims. In this example, you can see I’m accessing the list data using a federated account (OpenID) with a special user role of “Program Blue Contributor”.

image

Now that I have SAML 1.1 token delegation working, I can enhance the authorization logic within the web service to only return data relevant to users holding certain roles within the organization (“Program Blue” as an example).

SharePoint 2010 Identity Delegation Part 1: Claims Aware Web Services
By: Travis Nielsen | Posted: May 22, 2010 at 9:16 PM
Add Comment Add Comment | Share It Share It | Categories: Business Connectivity Services, Identity, Security, Windows Identity Foundation
4
Comments

Most of my previous posts involve configuring Claims Mode authentication in SharePoint 2010 and using federated Identity Providers (IP) to authenticate users. I also recently demonstrated how roles can be defined internally and assigned to user identities via ADFS 2.0 through token augmentation. These roles can in turn be used for access control to resources within SharePoint.

That’s all very well and good, but it’s really only half of the story. The second and equally as important part of if SharePoint 2010’s new authentication capabilities is the ability to delegate an individual users’ identity to systems outside of SharePoint.

Identity delegation is the process of passing an individual’s credentials to services and applications hosted on different computers. Typically, this is accomplished using Kerberos, an authentication protocol designed to handle this sort of thing. However, there are a couple of important issues associated with it. For starters, it’s notoriously difficult to configure and debug. And while there is a lot of documentation on the subject, most of it is incomplete, inaccurate, or just poorly written. Setup involves dependencies like SPNs, which require the involvement of the Active Directory team. And lastly, Kerberos isn’t extensible. You can’t supplement user identities with roles and arbitrary claims. And I can say from my own experience that Kerberos authentication tends to be an afterthought. Something to be avoided. Last on the list of options.

Enter Windows Identity Foundation (WIF), the platform on which SharePoint 2010 claims authentication is based. WIF, which is fully supported in SharePoint 2010, ADFS 2.0, ASP.NET, Windows Communication Foundation (WCF), and any other .NET application you care to develop, provides the infrastructure necessary to generate, transmit, and process claims-based identity in a simple and straightforward manner. It removes the roadblocks imposed by legacy authentication schemes like NTLM and Kerberos and puts control directly into the hands of developers, users, and IT security professionals. In short, it’s a framework written to help solve identity issues common in the of cloud computing and service-oriented architecture.

As a demonstration of these capabilities, I’ll show how SharePoint 2010, WCF,and WIF can be put together to solve the identity delegation problem. In this blog, we’ll start with a web service that is front-ending line-of-business information stored in a SQL database. Then, we’ll configure it to use WIF to request the calling user’s claims from SharePoint and process the token so that authorization decisions can be made. In Part 2 of this series, we’ll surface this information in SharePoint 2010 as an External Content Type using Business Connectivity Services (BCS).

The Setup: Part 1 and Part 2 of this walkthrough is implemented on a single computer running Windows 7. This computer has IIS, SQL 2008, and Visual Studio 2010 installed. In IIS, I have a dedicated web site created with the host header of “pbdev.com” and a self-signed SSL certificate is bound to it over port 443. I have the backconnectionhostnames registry entry configured to ensure there are no issues with local authentication. In addition, I have the most recent version of the Windows Identity Foundation SDK installed. This adds some functionality to Visual Studio 2010 for creating (among other things) claims-aware ASP.NET sites and web services.

The Database: You’ll need to download and install the standard AdventureWorks database, not the SQL 2008 version.

The Web Service: I’ll be working with a modified version of the web service included in the Business Connectivity Services samples section of the SharePoint 2010 SDK. This web service is actually an XML web service (.asmx), which won’t allow us to add the bindings we need for this demo. I converted it to a standard WCF web service.

You can download the completed web service it here.

After downloading and extracting the .zip file, add the web service as an application under a site in IIS. Remember, this site should be enabled for SSL.

image

Open web.config and make sure the connection string is correct for your environment.

  1. <connectionStrings>
  2.   <add name="AdventureWorksConnectionString" connectionString="Data Source=localhost;Initial Catalog=AdventureWorks;Integrated Security=True" providerName="System.Data.SqlClient" />
  3. </connectionStrings>

Next, you’ll need to update your endpoint address (line 130) and DNS value (line132) to match your environment. The following example is configured for “pbdev.com”.

Endpoint Configuration
  1. <endpoint address="https://pbdev.com/WCFService/service.svc" contract="Adventureworks.IService" binding="ws2007FederationHttpBinding" bindingConfiguration="Adventureworks.IService_ws2007FederationHttpBinding">
  2.   <identity>
  3.     <dns value="pbdev.com" />
  4.   </identity>
  5. </endpoint>

You should now be able to browse to the service: http://[your_host_header]/WCFService/service.svc and see the wsdl.

image

The web service I provide is pretty much complete and ready to go. It just requires some additional configuration. Some background information on how I got to this point and the remaining configuration steps are covered in the remainder of this post.

Add Windows Identity Foundation

I initially created this web service using the standard WCF Service template in Visual Studio. After integrating Microsoft’s Adventureworks code, I added WIF functionality using the Federation Utility (FedUtil). This utility is installed as part of the Windows Identity Foundation SDK. The process is initiated by right-clicking the site within the Solution Explorer and selecting “Add STS Reference…”

image

This will launch the federation wizard. I accepted the defaults and selected “No STS” at the end.

image

This accomplished a couple of things:

  1. Added a section name for “microsoft.identityModel” within <configSections>
  2. Registered the Microsoft.IdentittyModel assembly in the <assemblies> section
  3. Defined a behavior extension named “federatedServiceHostConfiguration”
  4. Added the behavior defined in the previous step to <serviceBehaviors>
  5. Created and populated the <microsoft.identityModel> section that was defined in step1 (above)

After completing this step, I was ready to start customizing the web service the to require tokens.

Service Configuration

I updated the endpoint address to use SSL and changed the binding from wsHttpBinding to ws2007FederationHttpBinding. I also added a bindingConfiguration setting to reference the name of the binding configuration section found later in web.config. I also changed the MEX endpoint from mexHttpBinding to mexHttpsBinding.

IMPORTANT: When you look to set up this web service in your environment, be sure to update the host header values for your endpoint addresses and DNS values to match your environment.

Services Configuration
  1. <services>
  2.   <service name="Adventureworks.Service" behaviorConfiguration="ServiceBehavior">
  3.     <!-- Service Endpoints -->
  4.     <endpoint address="https://pbdev.com/WCFService/service.svc" contract="Adventureworks.IService" binding="ws2007FederationHttpBinding" bindingConfiguration="Adventureworks.IService_ws2007FederationHttpBinding">
  5.       <identity>
  6.         <dns value="pbdev.com" />
  7.       </identity>
  8.     </endpoint>
  9.     <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
  10.   </service>
  11. </services>

Behavior Configuration

Next, I linked the custom behavior to reference the service name defined within the <microsoft.identitymodel> section found at the bottom of web.config. This is seen on Line 4 in the following code section.

Behavior Configuration
  1. <behaviors>
  2.       <serviceBehaviors>
  3.         <behavior name="ServiceBehavior">
  4.           <federatedServiceHostConfiguration name="Adventureworks.Service"/>
  5.           <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
  6.           <serviceMetadata httpGetEnabled="true" />
  7.           <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
  8.           <serviceDebug includeExceptionDetailInFaults="false" />
  9.         </behavior>
  10.       </serviceBehaviors>
  11.     </behaviors>

Add the ws2007FederationHttpBinding Section

This step involved adding a lot of new settings into web.config. Specifically the the ws2007FederationHttpBinding. This is the section that specifies the claim requirements for our web service and pretty much drives the delegated authentication process. You can drop in this entire section after the <extensions> section.

Binding Configuration
  1. <bindings>
  2.   <ws2007FederationHttpBinding>
  3.     <binding name="Adventureworks.IService_ws2007FederationHttpBinding">
  4.       <security mode="TransportWithMessageCredential">
  5.         <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="true" issuedKeyType="SymmetricKey">
  6.           <issuerMetadata address="https://fabrikam/_vti_bin/sts/spsecuritytokenservice.svc?wsdl" />
  7.           <issuer address="https://fabrikam/_vti_bin/sts/spsecuritytokenservice.svc/actas" />
  8.           <claimTypeRequirements>
  9.             <!--Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
  10.             <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true"/>
  11.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" /> -->
  12.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2008/06/identity/claims/role" isOptional="true" />-->
  13.             <!-- <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" isOptional="true" />-->
  14.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" isOptional="true" />-->
  15.             <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" isOptional="true" />
  16.             <!--<add claimType="http://schemas.xmlsoap.org/claims/CommonName" isOptional="true" />-->
  17.             <!--<add claimType="http://schemas.xmlsoap.org/claims/EmailAddress" isOptional="true" />-->
  18.             <!--<add claimType="http://schemas.xmlsoap.org/claims/Group" isOptional="true" />-->
  19.             <!--<add claimType="http://schemas.xmlsoap.org/claims/UPN" isOptional="true" />-->
  20.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" isOptional="true" />-->
  21.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" isOptional="true" />-->
  22.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />-->
  23.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" isOptional="true" />-->
  24.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" isOptional="true" />-->
  25.             <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" isOptional="true" />-->
  26.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" isOptional="true" />-->
  27.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" isOptional="true" />-->
  28.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" isOptional="true" />-->
  29.             <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" isOptional="true" />
  30.             <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" isOptional="true" />
  31.             <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" isOptional="true" />-->
  32.             <add claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" isOptional="true" />
  33.             <add claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" isOptional="true" />
  34.             <add claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider" isOptional="true" />
  35.             <add claimType="http://sharepoint.microsoft.com/claims/2009/08/isauthenticated" isOptional="true" />
  36.             <add claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" isOptional="true" />
  37.             <add claimType="http://sharepoint.microsoft.com/claims/2009/08/tokenreference" isOptional="true" />
  38.             <add claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/SidCompressed" isOptional="true" />
  39.           </claimTypeRequirements>
  40.         </message>
  41.       </security>
  42.     </binding>
  43.   </ws2007FederationHttpBinding>
  44. </bindings>

IMPORTANT: Be sure to note the host names on lines 6 and 7, which reference the SharePoint 2010 STS. Line 7 is particularly important since it specifies the requirement for an “ActAs” token. This how the identity delegation process is initiated. Also note we are requesting a SAML 1.1 token on line 5. You will need to update these host names to match your local SharePoint implementation.

Configure the Windows Identity Foundation Section

The last thing I did was configure the <microsoft.identityModel> section at the bottom of the web.config. This involved five basic steps:

  1. Adding a custom claimsAuthorizationManager. This class can be used to determined if the user should have access to the data or not. It’s optional but I decided to put it into this example.
  2. Adding values to the <audienceUris> section. This specifies the label for acceptable incoming SAML tokens. For SharePoint 2010, we set this to: “urn:schemas-microsoft-com:sharepoint:service”
  3. Adding certificates as trusted issuers. SAML 1.1 tokens are digitally signed so we need to tell our web service what signatures are valid. This can be done by adding certificate thumbprints within <trustedIssuers> inside the <issuerNameRegistry> section.
  4. Specifying what kind of client certificate validation is necessary. For this demonstration, I’m setting it to “none”.
  5. Adding a token handler. WIF can do all the SAML 1.1 token decryption and inspection for you. That’s a Good Thing and we need to enable that.

The end result for the <microsoft.identityModel> section looks like this:

Code Snippet
  1. <microsoft.identityModel>
  2.   <service name="Adventureworks.Service">
  3.     <claimsAuthorizationManager type="Adventureworks.CustomClaimsAuthorizationManager"/>
  4.     <audienceUris>
  5.       <add value = "urn:schemas-microsoft-com:sharepoint:service"/>
  6.     </audienceUris>
  7.     <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
  8.       <trustedIssuers>
  9.         <add thumbprint="e9e4f8121e2503d2e0ea7b32b91af3ef92767e6e" name="SharePoint Security Token Service Encryption" />
  10.         <add thumbprint="b05832ec28fb137b33cfbfeee8793c41b1a93dc8" name="SharePoint Security Token Service"/>
  11.         <add thumbprint="b8156c6f1503e277cbd531795962292c1e7a4010" name="fabrikam"/>
  12.       </trustedIssuers>
  13.     </issuerNameRegistry>
  14.     <certificateValidation certificateValidationMode="None" />
  15.     <securityTokenHandlers>
  16.       <remove type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  17.       <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  18.     </securityTokenHandlers>
  19.   </service>
  20. </microsoft.identityModel>

IMPORTANT: You will need to get actual certificate thumbprints from your SharePoint 2010 installation. One of the ways to get this information is to use the Certificates snap-in on the machine running SharePoint. Be sure to use these values within <trustedIssuers> and *not* the ones from this post.

image 

Now when you look at the WSDL, you should see a policy that requires an ActAs token from SharePoint 2010 to connect to the web service.

image

This may have seemed like a lot of work, but once you go through it once or twice I hope you’ll find it’s not too bad. At this point, we’re ready to integrate this web service (and the data behind it) to SharePoint 2010.

One Last Step…. Configure SharePoint 2010 to Trust Your SSL Certificate

Recall that I mentioned the WCF service is installed in a web site that has a self-signed SSL certificate bound to it. This is necessary because we’re going to need to secure the communication between SharePoint and the web service. One of the nuances of SharePoint 2010 is that it’s built-in Security Token Service (STS) does *not* use the operating system’s certificate trust repository to define what certificate root authorities are to be trusted. Therefore, we’ll need to manually add our certificate to SharePoint’s trusted root authority list via PowerShell. Here is the command to do that.

$cert = Get-PfxCertificate "C:\SSL_CERT_FILENAME.cer"
New-SPTrustedRootAuthority "Adventureworks WCF SSL Cert" -Certificate $cert

Now we should have a properly configured web service that is ready to accept SAML 1.1 tokens that represent end-users who are attempting to consume it’s services. We can now move on to configure an example of this using Business Connectivity Services in part 2 of this series.

Using ADFS 2.0 for Role Management in SharePoint 2010
By: Travis Nielsen | Posted: March 27, 2010 at 10:32 AM
Add Comment Add Comment | Share It Share It
1
Comment

I noticed that almost all of my most recent blog posts on the new claims features of SharePoint 2010 involve using ADFS 2.0 in some way. However, I don’t want to leave folks with the impression that this is a requirement. In fact, when SharePoint 2010 reaches RTM, you’ll be able to happily federate SharePoint 2010 directly to OpenID, Windows Live, or any other identity provider out there without needing to go through ADFS 2.0 at all. However, there some interesting capabilities that ADFS 2.0 provides that might lead one to consider it.

One of those features is the ability to enhance an authenticated user’s claims with additional data residing in an attribute store. ADFS 2.0 supports three kinds of attribute stores: Active Directory, LDAP, and SQL. ADFS 2.0’s custom rules engine allows you to connect to these stores, match records up on the claims you have so far, and add new ones to the token. This capability is particularly suited for managing the entitlements a user should have in the target system (SharePoint 2010 in our case). This turns out to be fairly easy to do.

To start out, I created a simple database in SQL to store my user entitlements. Hopefully, this diagram is pretty self-explanatory:

image

Next, I added a record that represents my test OpenID account (by email address), added some roles, and assigned my account to those roles. The result looks like this:

image

So you can see my test account holds both the “Product A Admin” and “Product B Viewer” roles. Next, I switched over to ADFS 2.0 and created a new Attribute Store by right-clicking the “Attribute Stores” container. You can see that only the attribute store type and connection string is necessary at this point.

image

Now comes the fun part. We right-click “Relying Party Trusts” and add the following custom rule, which is mostly based on our SQL query:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(store = "SP2010 Entitlements", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT dbo.Roles.Name FROM Users INNER JOIN RoleAssignment ON Users.UserID = RoleAssignment.UserID INNER JOIN Roles ON Roles.RoleID = RoleAssignment.RoleID WHERE Users.EmailAddress = {0}", param = c.Value);

The nice thing here is the rule uses the current email address claim to filter the SQL query. For each row returned by the query, it’s value is packaged in it’s own Role claim. The end result in SharePoint 2010 looks like this:

image

These Role claims can then be used to manage entitlements within SharePoint (via the User Picker).

image

So as you can see, we now have a straightforward way to assign and manage user entitlements in SharePoint 2010 without having to touch Active Directory groups. This has great benefits to pubic-facing SharePoint 2010 sites that want to provide premium content for, say, subscribers.

I’d also like to point out that this very thing can be done without ADFS 2.0. So see what that’s about, take a look at the excellent article: “Writing a Custom Claims Provider for SharePoint 2010 Part 1” by “Steve” (Share-n-dipity).

Adding an OpenID Claims Provider for AD FS 2.0 to Extend Access to SharePoint 2010
By: Travis Nielsen | Posted: January 2, 2010 at 7:29 PM
Add Comment Add Comment | Share It Share It | Categories: Windows Identity Foundation, Claims, ADFS, Identity, OpenID
34
Comments

In my previous post, I demonstrated how to enable a SharePoint 2010 web application for claims authentication. As a result, it could be seen that all relevant windows account information (account SID, logon name, group membership) is automatically consumed from Active Directory by the SharePoint Security Token Service (STS) and transformed into claims, which as the basis for the SPUser object. Except for a handy web part, no extra configuration required. It’s all “out of the box”.

I then went on to show how to extend this model by federating SharePoint with ADFS 2 .0. That demonstration, based on this article from the TechNet library, put SharePoint 2010’s built-in Security Token Service in the role of a Relying Party (RP-STS) and the WS-Federation passive endpoint of ADFS 2.0 server in the role of an Identity Provider (IP-STS). After completing this exercise, you may have asked yourself what the point of doing all this might be. It’s the intention of this article to hopefully answer that question and show why using ADFS 2.0 in this way can be a very powerful option for all SharePoint 2010-based extranets and public-facing Internet sites.

ADFS 2.0, formerly known as “Geneva Server”, can act as a centralized hub for managing user identity and trust relationships between applications, web services and, by extension, organizations. User identity is typically expressed as claims, which are documented in SAML, a type of specially formatted, digitally signed XML. As long as applications can “speak” one of the web standards defined by  (WS-Trust or WS-Federation), they can consume from or provide identity to ADFS 2.0. This is implemented in ADFS 2.0 via two kinds of trust relationships: Claims Provider Trusts and Relying Party Trusts. My previous post involved configuring a Relying Party Trust for a claims-enabled web application in SharePoint 2010 with claims being provided by ADFS 2.0 after users authenticate via Windows Integrated authentication. A Claims Provider Trust allows for that authentication process to be extended to other internal or external identity providers.

Before I go much further, I want to state much of this is based on Matias Woloski’s excellent article posted back in July of last year. It discusses the concept of a “Transition STS” that converts OpenID claims into SAML claims and raises the possibility of plugging it into ADFS 2.0 as a Claims (identity) Provider. It’s a powerful example because it clearly shows how well this technology integrates. I essentially implemented what he proposed using the current ADFS 2.0 Release Candidate and the current, public beta of SharePoint 2010. From an architecture perspective, the design pattern is as follows:

WS-Fed model

This diagram is an elaboration based on Matias Woloski’s and includes ADFS 2.0 as the central “hub” for various WS-Federation relationships. A couple of observations come to mind with this:

  1. You can see how the entire authentication and identity discovery process is highly modularized (or “pluggable”) with centralized control being provided by ADFS 2.0. You can pretty much add any application on your network into this model by creating a WS-Federation compliant STS for it. This is relatively easily accomplished if you’re familiar with the concepts introduced in the Identity Developer Training Kit. And Microsoft provides tools and templates for Visual Studio as part of the Windows Identity Foundation SDK that do a lot of the work for you. If you haven’t already, I highly recommend you check it out.
  2. Since we’re dealing with web services and standard protocols here, it doesn’t really matter if an IP-STS is internal or hosted in “the cloud”. As an example, full, “out of the box” support for using Windows Live credentials will be included in the RTM version of ADFS 2.0. Integration with the Microsoft Federation Gateway and the Windows Azure Access Control Service will likely be common scenarios as well. Essentially, where authentication happens and how user information flows back to your applications is entirely up to you.
  3. Identity in SharePoint 2010 is based on the Windows Identity Foundation (WIF). I’m sure you noticed “Geneva" framework” as a pre-requisite for installing the beta SharePoint Foundation. WIF fully supports all the protocols we’ve mentioned so far. In fact, in a claims-mode Web Application the SPUser object is hydrated from claims embedded in IClaimsPrincipal. There is no difference with how claims are received and processed in SharePoint 2010 as with any “Geneva-enabled” ASP.NET page. This is no surprise given SharePoint’s relationship with ASP.NET, but it’s worth at least pointing out. There is no SharePoint object model “trickeration” going on here.

So your SharePoint 2010 environment can essentially outsource the authentication process to one or more (internal or external) identity providers (Google, Windows Live, a trusted Active Directory instance, OAuth, etc…) and consume whatever identity information is provided / required. This has many important ramifications for the end-user experience, how personal information is (or is not) disclosed, and how SharePoint 2010 can be used as a social / content platform. For example, if you’re hosting content that requires a user to subscribe to your service using a named account, you can create a trust relationship with a series of well known external identity providers instead and just direct the user to authenticate to them using their existing user IDs and passwords. You are off the hook for managing accounts (creation, password resets / expiration) and you have arguably less exposure to the disclosure of personally-identifiable information since you aren’t storing anything. Users also win because they get out of having to create and remember yet another user ID and password and I would argue this can lead to an increase in adoption and / or re-use of the content.

Let’s take a look at a concrete example. We’re going to set things up so we can “log in” to a claims-mode SharePoint 2010 web application using an OpenID account. NOTE: It is assumed you have successfully configured a claims-mode SharePoint web app to federate with ADFS 2.0. This is a prerequisite and if you have not done this already, please see my previous blog on the subject. I’ll break this process down into two main steps: Configure the WS-Fed Protocol Transition STS and Configure a Claims Provider Trust for ADFS 2.0.

Configure the WS-Fed Protocol Transition STS

You’ll need to have the following prerequisites done before starting the configuration:

  • Download the code example provided by Martin Woloski. Unzip the contents to a convenient location. You should have a single folder called WSFedWebsiteAndOpenIDSTS with two folders inside of it. We will need source code provided within these two sub-folders.
  • Enroll for an OpenID account through myopenid.com. You will need this in order to sign into ADFS 2.0 and, by extension, a claims-mode SharePoint 2010 web application.
  • Download and install the Windows Identity Foundation SDK. This SDK includes tools (FedUtil) and templates for Visual Studio. As far as I can tell, these tools and templates work fine in Visual Studio 2010.

Start by creating a new ASP.NET web site in Visual Studio (File > New Web Site). In my example, I’m setting the web location to http://pbdev.com/OpenIdTestSite. You can do the same to “localhost” if you wish.

  1. Right-click the site properties and select “Add STS Reference…”. This starts the Federation Utility Wizard (FedUtil). Accept the defaults and click “Next” at the first screen. You may see a warning stating the application is not hosted using HTTS. This is OK to ignore for now.
  2. On the next screen, click the radio button for “Create a new STS project in the current location” and click Next.  Finish the wizard. You will now see a second site appear in the Solution. This is the new STS and it is represented with an “_STS” suffix.
  3. Copy the contents of default.aspx.cs from the code example WSFedWebsite directory to the corresponding default.aspx.cs file in your test web site.
  4. Copy the contents of the Bin folder under the code example OpenIdWSFedSTS folder to the corresponding location of your new _STS site. This should create a new Bin directory in Visual Studio.
  5. Copy the contents of Login.aspx from the code example OpenIdWSFedSTS directory into the corresponding Login.aspx folder in your _STS site.
  6. Copy the contents of Login.aspx.cs from the code example OpenIdWSFedSTS directory into the corresponding Login.aspx.cs folder in your _STS site.
  7. Validate there are no compile errors for Login.aspx.cs in your _STS site.

This completes the setup process. Go ahead and launch http://<<yoursite.com>>/OpenIdTestSite. You should be immediately redirected to the STS login page, which hosts the OpenID control.

image

You will be redirected to authenticate to your myOpenID account.

image

Follow the on-screen instructions and you will be redirected to your test site with your claims displayed.

image 

If you’ve gotten this far, you now have the fundamentals working with a basic ASP.NET example. Now it’s time to plug this into ADFS 2.0 so this can be used for SharePoint 2010 access!

NOTE: All claims tokens are digitally signed by the issuing STS using an X.509 certificate. Before we move on with configuring ADFS, we should identify this certificate and export it as a .CER file. You should be able to find the name of this certificate in the key “SigningCertificateName” in the web.config of your custom STS. Once you have the name, export it as a DER encoded binary (.CER) using the “Certificates” MMC snap in. Make sure you specify “computer account” when starting the snap-in.

Configure a Claims Provider Trust for ADFS 2.0

Next we need to set up our custom STS as a claims provider. This is done by launching the AD FS 2.0 Management Console, expanding the “Trust Relationships” node, right clicking “Claims Provider Trusts”, and selecting “Add Claims Provider Trust…”.  This launches a handy wizard.

  1. Click “Start” at the welcome screen.
  2. At Select Data Source, select the radio button for “Enter claims provider trust data manually”
  3. At Specify Display Name, enter a value and click Next.
  4. At Choose Profile, select AD FS 2.0 profile and click Next
  5. At Configure URL, select “Enable support for the WS-Federation Passive protocol”. For the URL, enter the URL of your STS: http://<<yoursite.com>>/OpenIdTestSite_STS.  Note that SSL is a requirement here. If the site under which your STS is located is not enabled for SSL, go ahead and enable it in IIS. When done, click Next.
  6. At Configure Identifier, leave the default value, which is the URL provided in the previous step. Click Next
  7. At Configure Certificates, browse to the location of the .CER file you created at the end of the previous section. Click Next.

The next step is to create claim rules for our new claims provider. This is necessary to pass on information from ADFS 2.0 to the SharePoint 2010 STS. This is done by right-clicking the new provider from the AD FS 2.0 Management console and selecting “Edit Claim Rules”. Follow these steps:

  1. Click the “Add Rule” button
  2. At the Choose Rule Type section, select “Pass Through or Filter an Incoming Claim” and click Next
  3. At the Configure Claim Rule section, enter “Passthrough: Role” for the Claim rule name. For Incoming claim type, enter Role. Ensure the radio button for “Pass through all claim values” is selected.
  4. Repeat this process for Name and Authentication claims
  5. Click the “Add Rule” button
  6. At the Choose Rule Type section, select “Transform an Incoming Claim” and click Next
  7. At the Configure Claim Rule section, enter “Transform: Build Email Address” for the Claim rule name. For Incoming claim type, enter Name. For Outgoing claim type, enter E-Mail Address. Ensure the radio button for “Pass through all claim values” is selected.

Your claims rule configuration should now look like the following:

image

Add ReplyToAddress Logic to the Custom STS

Before we test this out, we need to make one more change to our custom STS. ADFS 2.0 does not provide a ReplyToAddress to our custom STS. There are some good reasons for this, but that’s probably a topic for a separate posting. Anyhow, the STS developer is responsible for mapping the identifier of the calling STS to it’s actual WS-Federation passive endpoint URL. You can find out what your identifier is by highlighting the “Service” node in the AD FS 2.0 Management console and clicking “Edit Federation Service Properties”. You can see from the following screenshot that the identifier in my case is “http://pbdev.com/adfs/services/trust”.

image

So I need to provide a mapping in my custom STS between this identifier and actual URL, which is “https://pbdev.com/adfs/ls/”. This is done in the GetScope method within CustomSecurtyTokenService.cs. See lines 30 – 37.

CustomSecurityTokenService.cs
  1. protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
  2. {
  3.     ValidateAppliesTo( request.AppliesTo );
  4.  
  5.     //
  6.     // Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
  7.     // and is located in the Personal certificate store of the Local Computer. Before going into production,
  8.     // ensure that you change this certificate to a valid CA-issued certificate as appropriate.
  9.     //
  10.     Scope scope = new Scope( request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials );
  11.  
  12.     string encryptingCertificateName = WebConfigurationManager.AppSettings[ "EncryptingCertificateName" ];
  13.     if ( !string.IsNullOrEmpty( encryptingCertificateName ) )
  14.     {
  15.         // Important note on setting the encrypting credentials.
  16.         // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
  17.         // You can examine the 'request' to obtain information to determine the certificate to use.
  18.         scope.EncryptingCredentials = new X509EncryptingCredentials( CertificateUtil.GetCertificate( StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName ) );
  19.     }
  20.     else
  21.     {
  22.         // If there is no encryption certificate specified, the STS will not perform encryption.
  23.         // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.  
  24.         scope.TokenEncryptionRequired = false;            
  25.     }
  26.  
  27.     // Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
  28.     // In this template, we have chosen to set this to the AppliesToAddress.
  29.     
  30.     if (scope.AppliesToAddress == "http://pbdev.com/adfs/services/trust")
  31.     {
  32.         scope.ReplyToAddress = "https://pbdev.com/adfs/ls/";
  33.     }
  34.     else
  35.     {
  36.         scope.ReplyToAddress = scope.AppliesToAddress;
  37.     }   
  38.     
  39.     return scope;
  40. }

 

Once this is done, you should be able to browse to your claims-enabled SharePoint 2010 Web Application and get redirected to the ADFS 2.0 sign-in page. Since we now have two claims providers (Active Directory and OpenIdTest), we need to choose an authentication method using the drop-down listbox.

image

The OpenID sign-in process is exactly the same as shown earlier. After authenticating into MyOpenID, you should be re-directed to SharePoint with Viewer permissions.

image

The following table provides a closer look at the resulting claims in SharePoint 2010.

 

ClaimType

Issuer

OriginalIssuer

Value

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

SharePoint

SharePoint

http://travis-nielsen.myopenid.com/

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

SharePoint

TrustedProvider:
ADFS20Server

http://travis-nielsen.myopenid.com/

http://schemas.microsoft.com/sharepoint/2009/08/claims/userid

SharePoint

SecurityTokenService

05.t|adfs20server|http%3a//travis-nielsen.myopenid.com/

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

SharePoint

SecurityTokenService

05.t|adfs20server|http%3a//travis-nielsen.myopenid.com/

http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider

SharePoint

SecurityTokenService

trusted

http://sharepoint.microsoft.com/claims/2009/08/isauthenticated

SharePoint

SecurityTokenService

True

http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid

SharePoint

ClaimProvider:System

f134afaa-ca68-4bfb-8357-860f41975b44

Note that we could (1) add more output claims to our custom STS (where possible) by modifying the GetOutputClaimsIdentity method within the CustomSecurityTokenService class, (2) create additional claim rules for our OpenID claims provider in ADFS 2.0 to feed those claims to SharePoint 2010, and (3) add additional inbound claim mappings on SharePoint (we just have one here for ‘emailaddress’) to accept those claims and further enhance the user property information. And, indeed, how claims are used and processed within SharePoint 2010 is a whole new topic in itself!

Hopefully, you can see this approach can be adapted to a wide variety of identity providers like OAuth (Twitter, LinkedIn, Google, NetFlix, etc…) and Shibboleth. You only need “plug in” a single Transition STS for each provider to an instance of ADFS 2.0. Your internal (or Azure-hosed) applications and services only need to use Windows Identity Foundation (WS-Federation) to consume user identity from these providers (through ADFS 2.0) without any coding. Furthermore, we have already shown that the entire identity model for SharePoint 2010 was written based on this framework, so it works very well with this technology at a significantly lower level of effort than before. Additionally, you should now have a sense of how ADFS 2.0 can be an extremely valuable tool to centrally manage trust relationships and handle the flow of claims across an entire spectrum of identity consumers and providers. I hope you’ll agree this is a major step forward for the SharePoint platform.

How To Add ADFS 2.0 as a Federated Identity Provider in SharePoint 2010
By: Travis Nielsen | Posted: December 29, 2009 at 11:30 PM
Add Comment Add Comment | Share It Share It | Categories: Windows Identity Foundation, Claims, ADFS, Identity
16
Comments

One of the most intriguing of the many new features that SharePoint 2010 brings to the table is a completely new mechanism handle user identity.  This mechanism is based on the Windows Identity Foundation (formerly known as “Geneva”) and it opens the door to many new possibilities for securely and seamlessly integrating SharePoint with partner organizations, Internet social networking applications (think Twitter and Facebook), 3rd party identity providers (Yahoo!, Windows Live, Google), other SharePoint farms, and line-of-business applications somewhere on the corporate network.  Many of these benefits are explained in Venky Veeraraghavan’s presentation on SharePoint and identity at PDC 2009.  If you haven’t seen it, I highly recommend you check it out before reading further.

This article is intended to help fill some gaps in the existing documentation to help you get your SharePoint 2010 environment working in “Claims Mode” in conjunction with an instance of Active Directory Federation Services (ADFS) 2.0. Its not a terribly difficult process, but it can be pretty intimidating for those not versed in all the jargon associated with it.

The Design

We’re actually going to closely follow the instructions already provided in this TechNet article: Configure the Security Token Service. These instructions basically help you create a custom Federated Identity Provider to work with SharePoint. In this case, that will be an ADFS 2.0 server. Instead of connecting to SharePoint and authenticating directly to Active Directory, unauthenticated users will instead get redirected by SharePoint to a page hosted by ADFS 2.0. Users will authenticate to ADFS 2.0 using Windows Authentication, have various attributes about them packaged up as claims, and get re-directed back to SharePoint as an authenticated security principal. There’s actually a bit more going on than that, but as an introduction (and description of the end-user experience), that’ll suffice for now. Implementing this with ADFS 2.0 will provide the foundation for some pretty cool stuff down the road, which I’ll be posting in the near future.

The steps outlined in the TechNet article use mostly PowerShell.  I’ll be using a combination of PowerShell and Central Admin here.

The Setup

You can accomplish this using a single server. It’s assumed here you have SharePoint 2010 running against a local instance of SQL 2008 or SQL 2008 R2 CTP. If this server happens to be a Domain Controller, that’s fine. In my case, I’m using Windows 2008 R2 (64-bit, of course!).

Step 1: Create a Claims-Enabled Web Application

All you have to do here is run through the standard process in Central Administrator. Simply click “Create new Web Application” and select the “Claims Based Authentication” radio-button in the Authentication section.

image

Once the web application is created, you’ll need to create a site collection as well.  In my case, I just created one at the root “/”. When all this is done, you won’t notice anything is different at all. Indeed, I believe Microsoft is looking at making Claims Based Authentication the default mode of authentication when SharePoint 2010 RTMs. Behind the scenes, the SPUser object accessing SharePoint is actually based on a series of claims.

image

NOTE: The above screenshot displays claims using a custom web part. Check out my earlier blog for instructions on how to create and deploy it. This is highly recommended since it provides full visibility into the claims that make up a user identity in a claims mode web application. Needless to say, seeing and understanding these claims is fundamental to understanding how this stuff works within SharePoint.

Its worth stopping here to point out a few things. For starters, SharePoint Foundation ships with a fully functional Security Token Service (STS). When you install SharePoint 2010, the STS is operational and configured to use the local Active Directory instance to authenticate users and provide SharePoint a formal description each identity as a series of claims. When used in this way, the STS acts as an Identity Provider (IP-STS).  You can see this in the above screenshot. Some claims like group membership are provided by Active Directory. Other claims like ‘name’ and ‘userid’ are manufactured by the SharePoint STS. In IIS, you’ll find the web services associated with the STS in the SecurityTokenService application under “SharePoint Web Services”. A very good description of all this can be found in this TechNet article: http://technet.microsoft.com/en-us/library/ee428302(office.14).aspx.

So you don’t need to do anything to leverage the built-in STS as an Identity Provider. Indeed, this is the default setting. However, you can configure the SharePoint STS to trust a different IP-STS and thus act as a relying party (RP-STS). This is how you can extend SharePoint to leverage other systems to provide user identity and will be the focus for the rest of this article.

Step 2: Install and Configure ADFS 2.0

ADFS 2.0, formerly known as “Geneva Server” is now in Release Candidate stage at the time this article is being written. It can be downloaded here. There are a couple of “gotchas” you should be aware of before installing it:

  1. By default, ADFS 2.0 installs into the Default Web Site. It also sets up a self-signed certificate for that site so be sure you understand the impact to anything else you may have running in Default Web Site before you move forward.
  2. After the installer completes, you must run a configuration wizard to set the ADFS instance up. The GUI version of the this wizard will create a new instance of SQL 2008 Express Edition to store all configuration data. I already had a full instance of SQL 2008 R2 CTP running, so I wanted to leverage that instead of adding more software to my test virtual machine. The only way to specify an existing SQL instance is to use the command line version of the configuration wizard: http://technet.microsoft.com/en-us/library/dd727952(WS.10).aspx 

After configuration is complete, launch the ADFS 2.0 Management console and validate the certificate being used for Service Communications. This should be the same certificate that is bound to the Default Web Site. In my case, I chose to use a fully qualified domain name (pbdev.com). Make any changes necessary to ensure the Service Communications certificate and SSL binding in IIS is fully operational.

image

As a test, you should now be able to browse to the FederationMetadata.xml file at the following URL: https://<<SERVERNAME>>/FederationMetadata/2007-06/federationmetadata.xml

image

Now, export your Token-Signing Certificate to the c:\ drive. The quickest way to do this is to right-click the certificate in the ADFS 2.0 Management Console and select “View Certificate…”

image

Then, navigate to the Details tab and click the button labeled Copy to File…  This will launch the Certificate Export Wizard. Follow the wizard to export the certificate as a DER encoded binary X.509 (.CER) file.  For simplicity, I recommend saving the certificate to the C:\ drive. You will need this file in the following PowerShell script.

Step 3: Add ADFS 2.0 as a Federated Identity Provider in SharePoint

This is the part where we whip out some PowerShell. As far as I know, the current SharePoint 2010 Beta does not provide a place in Central Administration to do this add a federated identity provider. Fortunately, the commands are quite straightforward.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[YOUR_STS_SIGNING_CERT].cer")
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

HINT: You can copy and paste the above PowerShell commands into a text file. Save the text file with the .ps1 extension and you will be able to execute the file from within PowerShell. Be sure to launch “SharePoint 2010 Management Shell” as this will load all the SharePoint related extensions.

You should now be able add the Federated Identity Provider in Central Administration. Navigate to Web Applications Management, highlight the web application, and click the Authentication Providers button in the ribbon. You should now see your new provider in the Federated Identity Provider section of the Edit Authentication window.

image

SIDE NOTE: Its interesting to see in this screenshot how multiple identity providers can be added to the same zone. That’s a big change from MOSS 2007!

At this point, if you browse to your claims-enabled SharePoint site you’ll find a new screen where you need to specify what Identity Provider to use for access. This happens because we have both our Federated Identity Provider and Windows Authentication enabled for this zone. It should be noted that this screen can be customized with logic to automatically determine the correct provider based on the client IP address (for example). For now, we need to stick with Windows Authentication because ADFS 2.0 isn’t configured yet to work with SharePoint.

image

Step 4: Create a Second Web Application for Testing with ADFS 2.0

I’ve had issues getting claims-enabled web applications that have both a custom Federated Identity Provider and standard Windows Authentication provider enabled. When starting out, I recommend creating a new web application from scratch with only the custom identity provider selected in the Identity Providers section. These are the instructions provided in the aforementioned TechNet article. You can either delete and re-create the web application you created in Step 1 or create an entirely new web application.

image

In order to federate with ADFS 2.0, the web application will require an SSL certificate. Since you’ll likely be doing this for a full URL (domain.com), you should look at using SSL Diagnostics Version 1.1 to generate the certificate. A good blog that covers steps for creating a self-signed certificate can be found here. An alternate approach would be to add the Active Directory Certificate Services role to your server and request a web server certificate from within IIS. Either way works fine.

Also, assuming you’re working with a single server or virtual machine I strongly recommend disabling loopback authentication checking. Otherwise, you’re likely to experience authentication issues going forward.

When you create the site collection, you’ll have to grant an account rights to administer it. Otherwise, you will end up with Error: Access Denied….even when authenticated with an administrative account. Keep in mind, we’re no longer using Windows Integrated authentication here, so we need assign permissions to identities with certain claims.

image

In this example, I’m going to grant administrator rights to user identities where the EmailAddress claim equals: admin@pbdev.com. This is done via the user picker, but with a bit of a twist as you can see from the following screenshot.

image

As you can see from the above screenshot, claim mappings that were configured in Step 3 are available in the user picker.

image

You need to be sure your administrative account actually has this email address configured in the E-Mail field in Active Directory.

image

Once this is done, we are ready to set up ADFS to authenticate users and provide claims to our new SharePoint web application.

Step 5: Add SharePoint as a Relying Party in ADFS 2.0

Now we need to create the trust relationship with SharePoint 2010 in ADFS.  This involves launching the ADFS 2.0 Management console, right-clicking the Relying Party Trusts folder, and selecting Add Replying Party Trust…   As you can imagine, this invokes the “Add Relying Party Trust Wizard”.

At Select Data Source, be sure to specify the radio button for “Enter data about the relying party manually” and click Next

At Specify Display Name, enter the display name and any helpful notes about the Relying Party and click Next.

At Choose Profile, select AD FS 2.0 profile.

At Configure Certificate, click Next.  We will not be encrypting the SAML tokens in this example and this is not a requirement.

At Configure URL, select the checkbox for “Enable support for the WS-Federation Passive protocol” and specify the URL for your site collection with /_trust/ appended to the end.  NOTE: SSL is a requirement here.

image

At Configure Identifiers, remove the default value and enter in the value stored in the “ProviderRealm” attribute of the SPTrustedIdentityTokenIssuer object.  This was provided in Line 3 of the earlier PowerShell script. You can also get this by running Get-SPTrustedIdentityTokenIssuer in PowerShell.

image 

image

At Choose Issuance Authorization Rules, ensure the radio button for “Permit all users to access this relying party” and click Next.

At Ready to Add Trust, you can then review the configuration information and complete the Wizard.

We now have one final step to take.  Right-click the Relying Party Trust and select Edit Claim Rules.

At Choose Rule Type, select Send LDAP Attributes as Claims and click Next.

Create the new rule as follows:

image 

Step 6: Test Access to SharePoint

We should now be at a point where we can log into SharePoint via ADFS.  Browse to your site collection and with any luck, you should now get passed directly into SharePoint.  If you’re the curious type, I’d recommend tracing the redirects using Fiddler.  Assuming you have the claims viewer web part installed in your root site collection, you should see something similar to the following.

image

Its interesting to compare these claims with those listed in Step 1 of this article. And note the source for the Email Address claim type is TrustedProvider: ADFS20Server.

Step 7: Grant Read Access to ADFS Authenticated Users

Next, we’re going to add any user who has been authenticated by ADFS 2.0 to have read access to our site collection.  This is done in a similar fashion as the end of Step 4 above.  When signed into the site with an administrative account, go to Site Actions > Site Permissions. Select the Viewers group and click New > Add Users.  At the next pop-up window, simply click the magnifying glass at the top.  This will result in the following screen:

image

Double-click “All Users (ADFS20Server)” to add these users to the group.

image 

You should now be able to sign into the claims-enabled web application using a different, non-administrative account.

OK, I fully admit this isn’t the most exciting thing to see in the world. But as I mentioned earlier, this configuration is the foundation for doing some powerful things like plugging in various 3rd party identity providers. In an upcoming article, I’ll show you how to add a custom STS to ADFS 2.0 as a Claims Provider and use that STS to gain access to SharePoint. That Claims Provider will happen to be OpenID.
 

 About Travis Nielsen
ArchitectTravis Nielsen is an architect and founding member of PointBridge. He has over 12 years of experience in the IT industry designing and implementing solutions for the Windows Server platform throughout... [more]

 Tag Cloud

 External Links

 ‭(Hidden)‬ Admin Links
 
Home | Categories | Bloggers | All Posts | Recent Posts | Search PointBridge Blogs
About Us | Contact Us | What’s New at PointBridge | www.pointbridge.com
© 2007 PointBridge. All rights reserved. | One North Franklin, Suite 2470, Chicago, Illinois 60606 | 312.334.1900 Terms of Use