Skip to main content
Sign In   |   Help
 
Go SearchAdvanced Search
Home
Categories
Bloggers
www.pointbridge.com

View All Site Content

Planning for Externalizing Authentication in SharePoint 2010: Part 1 - Introduction
By: Travis Nielsen | Posted: December 29, 2011 at 6:37 PM
Add Comment Add Comment | Share It Share It | Categories: Security, SharePoint Server, Windows Identity Foundation, Claims, Identity
 

Since the beginning of 2011, I’ve had the good fortune of being involved with several projects involving the claims authentication capabilities introduced in SharePoint 2010. The scope of these efforts have ranged from small proof-of-concept demonstrations to large Internet and Intranet production deployments. Some involved custom built Security Token Services (STS) and others relied on vendor-provided products like ADFS 2.0 and Ping Federate. As a sort of unofficial evangelist for this sort of thing, I’m impressed with how architects and developers, both from our consultants here at PointBridge and with our customers, have embraced the concept. In pretty much every case, we had a slightly different problem to solve and the technology has enabled us to deal with it in a straightforward way. Folks out there are “getting it” and I’m looking forward to helping advance this technology even further as we begin the new year.

So I thought this would be a good opportunity to share what are in my mind the key planning considerations when opting to use this approach for authentication. Note that for the purposes of this writing, when I say “externalizing authentication” I’m really talking about what Microsoft refers to as using “SAML claims”. In other words, using some sort of external STS (like ADFS 2.0 or Ping Federate) that issues tokens to be consumed by SharePoint for authentication.

What Do I Need to Plan For?

This can quickly become a pretty large and technical subject to discuss, so I'll break this blog series into the main planning areas that I see need to be addressed:

  1. Authentication and Authorization: Identity Providers, STS, SAML tokens, claims, custom claims provider, web applications, zones
  2. Session Management: Token cache, sliding sessions, cookies
  3. Functionality: Custom controls and pages, Office integration, search
  4. Operations: Support processes and documentation

Note that in this series I won’t be covering much regarding the specifics for configuring external authentication for SharePoint 2010. That’s already well covered in previous posts I’ve written and also the following Microsoft whitepaper: Implementing Claims-Based Authentication with SharePoint Server 2010. Additionally, the recently released 2nd edition of “A Guide to Claims-Based Identity and Access Control” is pretty much required reading for anyone looking to get involved with this technology. My focus is going to be on what we’ve seen out there in the “real world”.

Before starting, have clear design objectives

Externalizing authentication will force your team to solve some things that are taken for granted when using traditional Windows-integrated authentication. Additional investments in time for development, testing, documentation, and operational procedures will be required to to ensure short and long term success. Therefore, I believe a strong justification for this approach is required. Externalizing authentication could be a good choice if the organization:

  1. Requires Single Sign On (SSO) or Web Sign On (OpenID, Facebook, Twitter, Google, etc…) with vendors or customers. Because SAML is “standards based” and provides a very high degree of interoperability, this is a common justification.
  2. Is undergoing a lot of transition with its directory services (acquisitions and migrations) and doesn’t want to be limited or held back by these changes. Externalizing authentication to a single “identity tier” creates a façade that enables SharePoint projects to move forward without being held hostage to other organizational initiatives.
  3. Does not have a centralized identity infrastructure and never will. It operates more as a federation of entities and interested parties and still wants to take advantage of SharePoint as a collaboration platform.
  4. Wishes to expose SharePoint 2010 to mobile devices.
  5. Requires one of more of it’s SharePoint sites to work like a banking banking site with automated sign-out during idle times and doesn’t have expertise to accomplish this at the gateway (firewalls / reverse proxies).
  6. Is looking to consolidate its web tier assets under a single identity infrastructure and enable more interoperability between applications. Claims authentication is fully supported in ASP.NET and Windows Communication Foundation, including REST web services. For obvious security reasons, this makes sense to standardize under a single authentication and authorization scheme, especially one that is as flexible as the various SAML-related protocols out there (WS-Trust and WS-Federation).
  7. Is making a commitment to “the cloud”. Because claims authentication fundamentally works with the web, it can be used to tie together on- and off-premise applications in a seamless manner. And this goes for SaaS solutions like Microsoft Office 365, which utilizes ADFS 2.0 to achieve SSO with your local instance of Active Directory.

These are just a few common examples….and in most cases more than one scenario would apply to a given project. I mention all this because I believe it’s important to always “keep an eye on the prize” when fighting through all the details and nuances that externalizing authentication requires.

So….does it work?

I get this question a lot. The short answer is: “Yes, but with some effort”. We here at PointBridge have several customers in production today using SAML claims - with some implementations going pretty deep into the search and collaboration features. But as I mentioned above, a successful result may require implementing a series of customizations to SharePoint; some of them minor and others more substantial. For example, the reality is that any production-quality deployment is going to need to implement a custom People Picker to resolve what the user enters to something real (a group or user account in AD, LDAP, or SQL). That’s not available out of the box and will require code. Fortunately, there are great examples out there on the ‘net to get you started.

SAML claims requires each user to have an attribute that uniquely identifies the account. Your team will have to take a hard look at the Identity Provider (Active Directory in many cases) to ensure this attribute exists and is 100% populated (and standardized). If the attribute involves a given name or surname, you will need to call out processes to handle name changes. An unhandled name change will result in a new user account in SharePoint and a whole lotta confusion for all parties involved.

Depending on your level of sensitivity to the end-user experience, you may find you’ll need to customize several SharePoint administrative pages such as the default “Access Denied” and “Request Access” pages, which by default expose the unfriendly claims identity of the end-user (example: 0e.t|externalprovider|joe.user@corpdomain.com). You may also find that you’ll need to update extra controls such as the “Sign Out” and “Sign on as a different user” components in the Welcome Menu control.

If your environment is going to support document management functionality, your team will need a solid understanding of the relationship between session cookies and the various versions of Microsoft Office.

Search (both FAST for SharePoint and standard search) will require that your web applications have a specific zone configuration so that content can be indexed. This configuration may drive other “fixes” to ensure automatically generated links such as workflow task alerts point the the URL you want your end users to see.

Out of the box, tokens for authenticated sessions are stored in memory on each Web Front End. If you’re working in a multi- WFE farm topology and don’t have sticky sessions available…or your system has any sort of vulnerability to unplanned app pool recycles (which is probably everybody  :) ) , you should consider implementing a persistent token cache as opposed to relying on what Microsoft gives you.

And there are a couple of things you’ll have to give up. The Document Preview functionality in FAST for SharePoint is one of them.

Almost all of these things can be addressed….and I’ll cover that in future posts in this series. My point here is you should look at the advantages SAML claims brings to the table versus any risks and costs associated before jumping in. Obviously, this sort of evaluation is necessary for almost any newer technology and externalizing authentication is no different.

403 Forbidden Error with iPhone When Accessing SharePoint 2010 in Claims Mode
By: Travis Nielsen | Posted: August 24, 2011 at 11:36 AM
Add Comment Add Comment | Share It Share It | Categories: .NET, Security, Claims, SharePoint Server, Mobility
 

If you’re looking to support iPhone on a SharePoint 2010 site that is configured to use an external identity provider like Ping Federate, ADFS 2.0, or a custom STS, you will likely run into this issue. However, you may notice everything works just fine with iPad. Fortunately, the issue can be reproduced on the desktop using Firefox or Safari by emulating the iPhone user agent and you’ll be able to see what’s going on in Fiddler.

image

As seen in the above screenshot, you’ll notice an additional redirect to /_layouts/mobile/mblmultilogin.aspx just before hitting the /_trust/default.aspx page. And indeed this is what causes the issue. To correct it, you’ll need to update iPhone Safari section within the Web Application’s compat.browser file and set the “isMobileDevice” property to false.

clip_image001

After making this change, your iPhone users should be able to enjoy the SharePoint experience from their phones. Yeah, that was a bit of sarcasm there….

A little “gottcha” when Migrating “My Site” Content to SharePoint 2010 SAML Claims
By: Travis Nielsen | Posted: July 11, 2011 at 10:42 PM
Add Comment Add Comment | Share It Share It | Categories: Security, SharePoint Server
 

We recently ran across an issue a customer was having with the migration of “My Site” content to SharePoint 2010. In their case, the target configuration was Claims Mode using an external STS for authentication. They upgraded their web application to claims-mode, converted the users to SAML claims principals, and then configured the User Profile Service to synchronize with Trusted Identity Providers.

Profile synchronization ran fine. However, whenever a user clicked the “My Content” link, a brand new “My Site” would get created which, of course, did not contain the user’s old data. The issue turns out to be quite straightforward when one examines the user profile after synchronization runs:

image

You can see that when running profile synchronization in Trusted Claims Provider mode, the default personal site location gets set to: /my/trustedprovider_{trusted_provider_name}_{identity_claim_value}. As far as I can tell, there is no way to override this default.

The good news is that all one has to do is set this value back its original pre-migration settings that existed back in MOSS. And I found a set of handy, dandy PowerShell scripts by Paul Childs you can use to make this happen in-bulk. Just be sure to replace $adAccount = “PBDEV\tnielsen” with something like $identityClaim = “i:0e.t|ADFS20|tnielsen@pbdev.local”. After correcting the path to the Personal Site, all should be well.

PerformancePoint Identity Delegation with SAML Claims Providers
By: Travis Nielsen | Posted: March 26, 2011 at 6:50 PM
Add Comment Add Comment | Share It Share It
 

From time to time, we have customers who want to offer Microsoft's Business Intelligence visualization tools like PerformancePoint dashboards as a service to users connecting to SharePoint from the Internet. Typically this represents a pretty big challenge, especially if there's any requirement that access to the data be granularly filtered at the data tier (Analysis Services).

Right now, the only game in town for accomplishing something like that that doesn't involving coding or web services is Kerberos Delegation, which allows for user identities to be securely passed around from server to server. A big drawback to Kerberos, however, is the fact that it isn't an Internet-friendly protocol and, in the Microsoft world, is tightly coupled to Active Directory. So to get this to work for external users, a product like Forefront Threat Management Gateway, the successor to ISA Server 2006, is typically deployed in front of SharePoint. TMG supports Kerberos Constrained Delegation, meaning users enter credentials to TMG via a form the credentials are authenticated against an Active Directory account, and TMG then proxies all internal connections for the user using Kerberos tickets. This approach has been around for a couple of years and it works fine.

But now, things are (of course) different with SharePoint 2010. For example:

  • SharePoint 2010 introduces a new, standards-based approach to authentication using SAML 1.1 tokens. This opens up new possibilities for opening up SharePoint environments to external users and partner companies without having to provision accounts for them. Hopefully if you follow this blog, you're well familiar with this. J
  • PerformancePoint is now PerformancePoint Services, a Service Application within SharePoint 2010 that is natively "claims aware".
  • SharePoint 2010 includes the Claims to Windows Token Service (C2WTS), which magically translates SAML tokens to Kerberos Tickets. All that is required is a correctly populated UPN claim and, presumably, a corresponding AD account.

So taking the three above points into account, I wanted to see if it would be possible to configure Kerberos delegation for users authenticating via ADFS 2.0. This would enable, for example, a user who is part of a partner organization to sign into SharePoint using WS-Federation SSO and access a dashboard that contains only the data relevant to the user.

The Setup

Testing with Kerberos requires a multi-server environment. I had limited hardware to work with so I used the bare minimum: two virtual machines running on my laptop. All browser access was done from the laptop.

The logical authentication design is a modification on the model outlined in the TechNet article: Identity delegation for PerformancePoint Services. But instead of authenticating to the WFE with Kerberos, the idea here is to use SAML token generated by ADFS 2.0. ADFS 2.0 is configured to authenticate the user against an Active Directory account which exists in the same domain as the SharePoint server. The Relying Party Trust is configured to include the UPN claim in the SAML token. In SharePoint, the UPN claim type is defined as the Identity claim for the user. So in this example, I basically shift the Windows Authentication process over to ADFS. It's nothing fancy.

I followed all the Kerberos setup steps described in Configuring Kerberos authentication: Step-by-step configuration. I then published a PerformancePoint dashboard with Data Source Settings set to "Per-user Identity". On my claims-mode web application, I enabled both the Trusted Identity Provider (ADFS) and Windows authentication (Negotiate) so I could test both the "supported" authentication model as well as the SAML-based one.

When using Windows Authentication (Negotiate), I was able to confirm my test account's identity was getting passed back to the virtual machine hosting Analysis Services.

So far so good! Kerberos authentication is online and working. Now let's try it out with SAML claims from ADFS.

Delegation with SAML Claims: Initial Results

Long story short, it doesn't work. As expected, I was able to access the dashboard, but PerformancePoint Services throws an error (Event ID: 1) and no data is loaded. Based on the error message, it looks like PerforamncePoint Services will not send a SAML token to C2WTS in cases where the UPN claim originates from an external identity provider. Bummer…

An exception occurred while running a report. The following details may help you to diagnose the problem:
Error Message: $Resources:ppsma.ServerCommon,ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim;
        <br>
        <br>
        Contact the administrator for more details.
Dashboard Name:
Dashboard Item name:
Report Location: /analytics/Lists/PerformancePoint Content/2_.000
Request Duration: 57.77 ms
User: i:0e.t|adfs intranet|tnielsen@pbdev.local
Parameters:
    
Exception Message: $Resources:ppsma.ServerCommon,ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim;
Inner Exception Message:
Stack Trace: at Microsoft.PerformancePoint.Scorecards.Server.PmServer.ExecuteAnalyticReportWithParameters(RepositoryLocation analyticReportViewLocation, BIDataContainer biDataContainer)
at Microsoft.PerformancePoint.Analytics.ServerRendering.OLAPBase.OlapViewBaseControl.ExtractReportViewData()
at Microsoft.PerformancePoint.Analytics.ServerRendering.OLAPBase.OlapViewBaseControl.CreateRenderedView(StringBuilder sd)
at Microsoft.PerformancePoint.Scorecards.ServerRendering.NavigableControl.RenderControl(HtmlTextWriter writer)
    
PerformancePoint Services error code 20604.

Delegation with SAML Claims: A Workaround

Happily, there is a workaround and the technique fairly well known in the Business Intelligence community. Basically, it involves switching the authentication mode of the data connection object for a dashboard to "Unattended Service Account and add authenticated user name in connection string". When doing this, the data is retrieved using a single connection account, but the user ID is passed in the <CustomData> element of a connection.

Some work needs to be done on the Analysis Services side to implement the security trimming, but it's not too difficult…and it works. My colleague Brian Ringley recently posted on how to do this. Keep in mind that when using claims, the account ID in the user dimension will need to match the exact format of your SAML claim identifier, not the DOMAIN\samAccountName format that Brian describes. In my case, this would be i:0e.t|adfs intranet|<User Principal Name Value>.

Conclusion

It's a bit disappointing that Kerberos delegation doesn't (appear to) work for PerformancePoint for users authenticated with an external SAML claims provider; especially since the C2WTS has, in theory, everything it needs to generate the ticket on the user's behalf. Perhaps there's something I missed here, this will be fixed in a later service pack, or maybe this behavior is "by design" due to security issues I haven't thought through. However, it's good to know a decent workaround exists that doesn't involve network architecture changes such as introducing TMG.

As a side note, I'd be interesting to know if the next version of SQL Server (a.k.a "Denali") will include support for SAML token authentication. It doesn't look promising, though, seeing how there's no mention of this in the current documentation.

UPDATED: Adding an OpenID Claims Provider for AD FS 2.0 to Extend Access to SharePoint 2010
By: Travis Nielsen | Posted: January 14, 2011 at 11:45 PM
Add Comment Add Comment | Share It Share It | Categories: ADFS, Claims, Identity, OpenID, Security, SharePoint Server, Windows Identity Foundation
5
Comments

NOTE: This blog is based on a post originally written in January of 2010 when both SharePoint 2010 and AD FS 2.0 were in Release Candidate stage. The version you are reading here has been updated it to correct some important omissions related to the RTW bits.

========================================================

In my previous post, I demonstrated how to enable a SharePoint 2010 web application for claims authentication. As a result, it could be seen that all relevant windows account information (account SID, logon name, group membership) is automatically consumed from Active Directory by the SharePoint Security Token Service (STS) and transformed into claims, which as the basis for the SPUser object. Except for a handy web part, no extra configuration required. It’s all “out of the box”.

I then went on to show how to extend this model by federating SharePoint with ADFS 2 .0. That demonstration, based on this article from the TechNet library, put SharePoint 2010’s built-in Security Token Service in the role of a Relying Party (RP-STS) and the WS-Federation passive endpoint of ADFS 2.0 server in the role of an Identity Provider (IP-STS). After completing this exercise, you may have asked yourself what the point of doing all this might be. It’s the intention of this article to hopefully answer that question and show why using ADFS 2.0 in this way can be a very powerful option for all SharePoint 2010-based extranets and public-facing Internet sites.

ADFS 2.0, formerly known as “Geneva Server”, can act as a centralized hub for managing user identity and trust relationships between applications, web services and, by extension, organizations. User identity is typically expressed as claims, which are documented in SAML, a type of specially formatted, digitally signed XML. As long as applications can “speak” one of the web standards defined by  (WS-Trust or WS-Federation), they can consume from or provide identity to ADFS 2.0. This is implemented in ADFS 2.0 via two kinds of trust relationships: Claims Provider Trusts and Relying Party Trusts. My previous post involved configuring a Relying Party Trust for a claims-enabled web application in SharePoint 2010 with claims being provided by ADFS 2.0 after users authenticate via Windows Integrated authentication. A Claims Provider Trust allows for that authentication process to be extended to other internal or external identity providers.

Before I go much further, I want to state much of this is based on Matias Woloski’s excellent article posted back in July of last year. It discusses the concept of a “Transition STS” that converts OpenID claims into SAML claims and raises the possibility of plugging it into ADFS 2.0 as a Claims (identity) Provider. It’s a powerful example because it clearly shows how well this technology integrates. I essentially implemented what he proposed using the current ADFS 2.0 Release Candidate and the current, public beta of SharePoint 2010. From an architecture perspective, the design pattern is as follows:

WS-Fed model

This diagram is an elaboration based on Matias Woloski’s and includes ADFS 2.0 as the central “hub” for various WS-Federation relationships. A couple of observations come to mind with this:

  1. You can see how the entire authentication and identity discovery process is highly modularized (or “pluggable”) with centralized control being provided by ADFS 2.0. You can pretty much add any application on your network into this model by creating a WS-Federation compliant STS for it. This is relatively easily accomplished if you’re familiar with the concepts introduced in the Identity Developer Training Kit. And Microsoft provides tools and templates for Visual Studio as part of the Windows Identity Foundation SDK that do a lot of the work for you. If you haven’t already, I highly recommend you check it out.
  2. Since we’re dealing with web services and standard protocols here, it doesn’t really matter if an IP-STS is internal or hosted in “the cloud”. As an example, full, “out of the box” support for using Windows Live credentials will be included in the RTM version of ADFS 2.0. Integration with the Microsoft Federation Gateway and the Windows Azure Access Control Service will likely be common scenarios as well. Essentially, where authentication happens and how user information flows back to your applications is entirely up to you.
  3. Identity in SharePoint 2010 is based on the Windows Identity Foundation (WIF). I’m sure you noticed “Geneva" framework” as a pre-requisite for installing the beta SharePoint Foundation. WIF fully supports all the protocols we’ve mentioned so far. In fact, in a claims-mode Web Application the SPUser object is hydrated from claims embedded in IClaimsPrincipal. There is no difference with how claims are received and processed in SharePoint 2010 as with any “Geneva-enabled” ASP.NET page. This is no surprise given SharePoint’s relationship with ASP.NET, but it’s worth at least pointing out. There is no SharePoint object model “trickeration” going on here.

So your SharePoint 2010 environment can essentially outsource the authentication process to one or more (internal or external) identity providers (Google, Windows Live, a trusted Active Directory instance, OAuth, etc…) and consume whatever identity information is provided / required. This has many important ramifications for the end-user experience, how personal information is (or is not) disclosed, and how SharePoint 2010 can be used as a social / content platform. For example, if you’re hosting content that requires a user to subscribe to your service using a named account, you can create a trust relationship with a series of well known external identity providers instead and just direct the user to authenticate to them using their existing user IDs and passwords. You are off the hook for managing accounts (creation, password resets / expiration) and you have arguably less exposure to the disclosure of personally-identifiable information since you aren’t storing anything. Users also win because they get out of having to create and remember yet another user ID and password and I would argue this can lead to an increase in adoption and / or re-use of the content.

Let’s take a look at a concrete example. We’re going to set things up so we can “log in” to a claims-mode SharePoint 2010 web application using an OpenID account. NOTE: It is assumed you have successfully configured a claims-mode SharePoint web app to federate with ADFS 2.0. This is a prerequisite and if you have not done this already, please see my previous blog on the subject. I’ll break this process down into two main steps: Configure the WS-Fed Protocol Transition STS and Configure a Claims Provider Trust for ADFS 2.0.

Configure the WS-Fed Protocol Transition STS

You’ll need to have the following prerequisites done before starting the configuration:

  • Download the code example provided by Martin Woloski. Unzip the contents to a convenient location. You should have a single folder called WSFedWebsiteAndOpenIDSTS with two folders inside of it. We will need source code provided within these two sub-folders.
  • Enroll for an OpenID account through myopenid.com. You will need this in order to sign into ADFS 2.0 and, by extension, a claims-mode SharePoint 2010 web application.
  • Download and install the Windows Identity Foundation SDK. This SDK includes tools (FedUtil) and templates for Visual Studio. As far as I can tell, these tools and templates work fine in Visual Studio 2010.

Start by creating a new ASP.NET web site in Visual Studio (File > New Web Site). In my example, I’m setting the web location to http://pbdev.com/OpenIdTestSite. You can do the same to “localhost” if you wish.

  1. Right-click the site properties and select “Add STS Reference…”. This starts the Federation Utility Wizard (FedUtil). Accept the defaults and click “Next” at the first screen. You may see a warning stating the application is not hosted using HTTS. This is OK to ignore for now.
  2. On the next screen, click the radio button for “Create a new STS project in the current location” and click Next.  Finish the wizard. You will now see a second site appear in the Solution. This is the new STS and it is represented with an “_STS” suffix.
  3. Copy the contents of default.aspx.cs from the code example WSFedWebsite directory to the corresponding default.aspx.cs file in your test web site.
  4. Copy the contents of the Bin folder under the code example OpenIdWSFedSTS folder to the corresponding location of your new _STS site. This should create a new Bin directory in Visual Studio.
  5. Copy the contents of Login.aspx from the code example OpenIdWSFedSTS directory into the corresponding Login.aspx folder in your _STS site.
  6. Copy the contents of Login.aspx.cs from the code example OpenIdWSFedSTS directory into the corresponding Login.aspx.cs folder in your _STS site.
  7. Validate there are no compile errors for Login.aspx.cs in your _STS site.

This completes the setup process. Go ahead and launch http://<<yoursite.com>>/OpenIdTestSite. You should be immediately redirected to the STS login page, which hosts the OpenID control.

image

You will be redirected to authenticate to your myOpenID account.

image

Follow the on-screen instructions and you will be redirected to your test site with your claims displayed. Note that the only claims we get back from this provider is the ‘name’ claim. This makes sense given that we’re only using OpenID or user authentication. OpenID has no knowledge of the roles this user should have within SharePoint. But having this claim is good enough for us to (a) confirm the user is authenticated and (b) establish a unique identifier for the user.

image

If you’ve gotten this far, you now have the fundamentals working with a basic ASP.NET example. Now it’s time to plug this into ADFS 2.0 so this can be used for SharePoint 2010 access!

NOTE: All claims tokens are digitally signed by the issuing STS using an X.509 certificate. Before we move on with configuring ADFS, we should identify this certificate and export it as a .CER file. You should be able to find the name of this certificate in the key “SigningCertificateName” in the web.config of your custom STS. Once you have the name, export it as a DER encoded binary (.CER) using the “Certificates” MMC snap in. Make sure you specify “computer account” when starting the snap-in.

Configure a Claims Provider Trust for ADFS 2.0

Next we need to set up our custom STS as a claims provider. This is done by launching the AD FS 2.0 Management Console, expanding the “Trust Relationships” node, right clicking “Claims Provider Trusts”, and selecting “Add Claims Provider Trust…”.  This launches a handy wizard.

  1. Click “Start” at the welcome screen.
  2. At Select Data Source, select the radio button for “Enter claims provider trust data manually”
  3. At Specify Display Name, enter a value and click Next.
  4. At Choose Profile, select AD FS 2.0 profile and click Next
  5. At Configure URL, select “Enable support for the WS-Federation Passive protocol”. For the URL, enter the URL of your STS: https://[your site host header]OpenIdTestSite_STS/.  Note that SSL is a requirement here. If the site under which your STS is located is not enabled for SSL, go ahead and enable it in IIS. When done, click Next.
  6. At Configure Identifier, leave the default value, which is the URL provided in the previous step. Click Next
  7. At Configure Certificates, browse to the location of the .CER file you created at the end of the previous section. Click Next.
  8. At the Finish window, leave the checkbox selected and click Close.

You will immediately see a new window where we need to specify the  “Acceptance Transform Rules”. These rules handle the inbound claims from our custom STS. This is part 1 of a two part process to pass on information from ADFS 2.0 to the SharePoint 2010 STS. Follow these steps:

  1. Click the “Add Rule” button
  2. At the Choose Rule Type section, select “Transform an Incoming Claim” and click Next
  3. At the Configure Claim Rule section, type “Convert name claim to UPN claim” for the rule name. For Incoming claim type, enter ‘Name’. For the outgoing claim type, enter ‘UPN’. Ensure the radio button for “Pass through all claim values” is selected.

Your claims rule configuration should now look like the following:

image

The second part of involves adding an “Issuance Transform Rule” so that our inbound claims can be passed back to our SharePoint web application. Select the Relying Party Trusts folder under Trust Relationships and highlight the relevant relying party you configured earlier. In the Actions Pane, click Edit Claim Rules… and complete the following steps:

  1. Click the “Add Rule” button
  2. In the next window, select the claim rule template: “Pass through an Incoming Claim”
  3. At the next window, enter the claim rule name OpenID: UPN. Set the incoming claim type to ‘UPN’. Make sure the radio button for “Pass through all claim values” is selected.

Add Reply Address Logic to the Custom STS

Before we test this out, we need to make one more change to our custom STS. ADFS 2.0 does not provide a ReplyToAddress to our custom STS. There are some good reasons for this, but that’s probably a topic for a separate posting. Anyhow, the STS developer is responsible for mapping the identifier of the calling STS to it’s actual WS-Federation passive endpoint URL. You can find out what your identifier is by highlighting the “Service” node in the AD FS 2.0 Management console and clicking “Edit Federation Service Properties”.

You can see from the following screenshot that the identifier in my case is: http://SP2010.pbdev.local/adfs/services/trust.

image

So I need to provide a mapping in my custom STS between this identifier and actual URL. This is done at the end of the GetScope method within CustomSecurtyTokenService.cs. See lines 1 – 4 below.

   1: if (scope.AppliesToAddress.ToLower() == "http://sp2010.pbdev.local/adfs/services/trust")
   2: {
   3:     scope.ReplyToAddress = "https://sp2010.pbdev.local/adfs/ls/";
   4: }
   5: else if (scope.AppliesToAddress == "urn:contoso:openid")
   6: {
   7:     scope.ReplyToAddress = "http://contoso/_trust/";
   8: }
   9: else
  10: {
  11:     scope.ReplyToAddress = scope.AppliesToAddress;
  12: }   
  13:     
  14: return scope;

Once this is done, you should be able to browse to your claims-enabled SharePoint 2010 Web Application and get redirected to the ADFS 2.0 sign-in page. Since we now have two claims providers (Active Directory and OpenIdTest), we need to choose an authentication method using the drop-down listbox.

image

NOTE: If your web application uses both ADFS and Windows Integrated authentication, users will actually have two identity selector menus: one for SharePoint and one for ADFS. The SharePoint menu can be removed by un-checking Windows Integrated authentication in Central Admin. Be sure you have a valid claims principal assigned as site collection administrator before you do this, though.

Once the user selects the OpenID STS, the sign-in process is exactly the same as shown with the test site earlier. Assuming you configured ADFS according to the steps outlined in my previous post, you will be redirected to your claims-enabled web application with read permissions.

image

Note that we could (1) add more output claims to our custom STS (where possible) by modifying the GetOutputClaimsIdentity method within the CustomSecurityTokenService class, or (2) configure ADFS to look up additional claims stored in a SQL or LDAP repository for this user to populate, for example, application roles. Either way, making these changes would require us to (1) define more Issuance Transform Rules on the Relying Party Trust in ADFS so that the information is passed back to SharePoint. and (2) add additional inbound claim mappings to our SP-TrustedIdentityTokenIssuer settings on SharePoint so the claims are processed and added to the SPUser object.

Hopefully, you can see this approach can be adapted to a wide variety of identity providers that don’t “speak” SAML like OAuth (Twitter, LinkedIn, Facebook, NetFlix, etc…), Shibboleth, and almost anything else you can think of. You only need plug in a “transition” STS for each type of provider to an instance of ADFS 2.0. All the complexity is facaded away from SharePoint. Furthermore, we have already shown that the entire identity model for SharePoint 2010 was written based on this framework, so it works very well with this technology at a significantly lower level of effort than before. Finally, you should now have a sense of how ADFS 2.0 can be an extremely valuable tool to centrally manage trust relationships and handle the flow of claims across an entire spectrum of identity consumers and providers. I hope you’ll agree this is a major step forward for the SharePoint platform.
 

 Follow on


Twitter: @travisnielsen

LinkedIn: travisnielsen

 About Travis Nielsen
Principal ConsultantTravis Nielsen is a principal consultant and founding member of PointBridge. He has more than 12 years of experience in the IT industry designing and implementing solutions for the Windows Server plat... [more]

 External Links

 ‭(Hidden)‬ Admin Links
 
Home | Categories | Bloggers | All Posts | Recent Posts | Search PointBridge Blogs
About Us | Contact Us | What’s New at PointBridge | www.pointbridge.com
© 2007 PointBridge. All rights reserved. | 217 N Jefferson Street, Suite 300, Chicago, Illinois 60661 | 312.334.1900 Terms of Use