Archive for December, 2011

Google Id/Windows Authentication in SharePoint 2010 using Windows Azure

December 11, 2011

In this article I will describe how to enable signing in using Google Id, Windows Open Id, Facebook or Yahoo account to a SharePoint 2010 site collection. As authentication provider I will use Windows Azure Platform.
Here are the steps you have to do:

Configure the Azure platform

  1. Create an account on Windows Azure Platform using your Windows Live Id. There is 90 days evaluation period available on Windows Azure that is free, additionaly the Access Control Services I will use as authnetication provider are free at least until December 2012. During the registration process you will be however asked to fill in you credit card number. For more information about pricing see this.
  2. After you created your azure account go to the Windows Azure management portal  https://windows.azure.com/.
  3. In the portal click “Services Bus, Access Control & Caching ” and then “Access Control”. See following picture
  5. Click new to create a new namespace and select a unique name for the namespace and the region where your server exists and click “Create namespace” button
  6. Wait until the namespace is activated. It takes several minutes
  7. Click the newly created namespace and then “Access Control Service”
  8. Click “Identity providers” and add the providers that should be used in your SharePoint site collection for the authentication. See folllowing image.
  10. Click Relying party application button in the left tab and add a new Relying application and fill the form as marked in the following image. The url should be the url of your sharepoint web application.
  12. Also check the “Create new rule group”
  13. Now click the “Rule groups” and click Generate. The form should look like this afterwards:
  15. Click save.
  16. Click  “Application Integration” under “Development” tab. Then “Login pages” and then your relying service application.
  17. Copy the content of the textbox und option 1. It should look like this https://yournamespace.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fsharepoint2010%2f
  18. For now you are done with the azure platform configuration. Now go to your SharePoint server where should be the claims authentication enabled.

Create and export new certificate

  1. Run following command “MakeCert.exe -r -pe -n “CN=<yournamespace>.accesscontrol.windows.net” -sky exchange -ss my”. The Makecert.exe can you find in this folder: C:\Program Files\Microsoft Office Servers\14.0\Tools
  2. Here http://msdn.microsoft.com/en-us/library/gg185932.aspx  you can find a description how to export the newly created certificate for the communication betwen SharePoint and Azure.
  3. Once you have the file go back to Azure platform to your namespace and click “Certificates and keys” and click “Add” button in the “Token signing” section.
  4. Upload the exported certificate and leave the other setings to default

Configure SharePoint to use claims
Run following script. Replace following things:

  1. Path to the certificate
  2. Password of the certificate
  3. $realm (it is the Url you gave in the Relying Application Settings as Realm). Mind the slashes.
  4. $signinurl It is the url from step 17
  5. The names of the providers.

Add-PSSnapin "Microsoft.SharePoint.PowerShell"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("yourcertificatename.pfx","yourpassword")

$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming

$realm = "http://sharepoint2010/"

$signinurl = "https://yournamespace.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fsharepoint2010%2f"

New-SPTrustedIdentityTokenIssuer -Name "Azure ACS" -Description "Windows Azure ACS v2" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

New-SPTrustedRootAuthority -Name "Azure Test Token Signing" -Certificate $cert

$issuer = Get-SPTrustedIdentityTokenIssuer
$authority = Get-SPTrustedRootAuthority
$issuer.ProviderUri = $signinurl
$issuer.Update

Check if the things work:

  1. Open central administration and open Web application
  2. Click Create new Web application
  3. Switch to claims authentication
  4. Check the “Azure ACS”
  5. Create new web application
  6. Create new site collection
  7. Set the permissions on the site collection that the users have access to the site collection
  8. Log in with your Google Id to the site collection

References:  Travis Nielsen blog

Tags:, , ,
Posted in Azure, Claims, SharePoint, SharePoint 2010, Uncategorized | 9 Comments »