Writing your own Trusted Identity provider for SP2010 (1)

By | 2010-08-19

With the introduction of the Windows Identity Framework and SharePoint 2010 it is now possible to have multiple authentication providers on a Single URL on a SPWebApplication.
Especialy in an Extranet scenario this is very usefull:

  • Employees login with their AD Account
  • Partners, suppliers, customers login through a (Custom) Trusted Identity Provider ( Like facebook,OpenID or custom )

Image you have a CRM Application (like Microsoft Dynamics CRM 4) where you store all the relations (contacts) your company has with customers, partners and suppliers. You can use this information, e.g. the email addresses and a custom field for a password, to create your own Identity Provider and provide access to your extranet/collaboration portal based on the information stored in the CRM application.

In 2007 you would extend your SPWebApplication and configure Forms Based Authentication. You would lose the Client Integration Features of Office (2007), and you needed to configure your Membership Provider in the Web.Config.

In 2010 we can use a Identity provider/Claim Provider. There are some major differences / benefits in comparison to a custom Membership Provider. With an Identity Provider ( custom or not ):

  • You can use the Integration Features of the Office (2010) Client
  • All users connect on the same url / WebApplication
  • You can re-use a Identity Provider on more than one WebApp (it’s now just a Trust thing)
  • You have Single Sing On (SSO) for free with other WebApps that Trust the same Identity Provider
  • Configuration is done through PowerShell on all servers at once!

This will be a Multi Blog post on “writing your own Trusted Identity provider / Claim Provider for SP2010”.
In order to have a working Trusted Identity provider for SharePoint you will need to do a couple of things:

This post will focus on how to create a Custom Security Token Service with the Windows Identity Framework SDK.

    1. Download and install Windows Identity Framework SDK for .Net 4.0 ( and thus VS 2010 )
      SP2010 runs on .Net 3.5 but since this is a Separate IIS WebApplication you use the 4.0
    2. Create a new Web Project with VS2010 based on the ASP.Net Security Token Service Web Site templateThis will be the Website used by users to actually login to
    3. Note the following important classes/methods in the project:
       

      • CustomSecurityTokenService.cs, and especially the method: GetOutputClaimsIdentity
      • Login.aspx, and especially the CodeBehind: Page_Load
      • Web.Config, and especially the appSettings: IssuerName and SigningCertificateName
    4. Implement the method GetOutputClaimsIdentity,
      here I have chosen to login with the user’s email address. 

      If you want to add more claims you can! You could add claims to the output here to facilitate groups of users.
    5. Implement the Login button/event in the Login page
    6. Change the login page front end
    7. Add extra functions like “Forgot my password” or “Register for an account” now or later
    8. Deploy your webapplication to IIS.
      You should now be able to login to your custom STS with a browser:

 

  1. Create a proper “FederationMetadata.xml”.
    This was a bit hard for me at first. But there is an App for that! 

    • Provide the proper values for the WS-Federation Metadata Generator
    • You will need a Certificate to sign the “FederationMetadata.xml” document
    • Copy the new “FederationMetadata.xml” to your published STS Website
  2. Test your new STS WebApplication by logging in. You might get an error when you first test this. Use this url to test if your login page works:http://test-server/default.aspx?&wa=wsignin1.0
  3. There is one thing left to do when you want to use your Identity Provider: install a certificate on the Web Server, and use that to sign the FederationMetadata.xml and update the Web.Config of your provider to reference this certificate in the IssuerName.

Next post will descibe the SPClaimProvider to create and register.

And be sure to check-out some small “issues” with Claims Based authentication

6 thoughts on “Writing your own Trusted Identity provider for SP2010 (1)

  1. Pingback: Writing your own Trusted Identity provider for SP2010 (2) « SharePoint Stef (@vanHooijdonk)

  2. Pingback: Writing your own Trusted Identity provider for SP2010 (2) « SharePoint Stef (@vanHooijdonk)

  3. Pingback: Writing your own Trusted Identity provider for SP2010 (3) « SharePoint Stef (@vanHooijdonk)

  4. Pingback: Writing your own Trusted Identity provider for SP2010 (3) « SharePoint Stef (@vanHooijdonk)

  5. Filipe

    Hello Stef. I’m doing some research on Claims, and i was wondering if you could help with something i haven’t been able to clear: can i do Claims augmentation with a custom claims provider, on Windows Authentication? Thanks.

    Reply
  6. MNSD

    Hello Stef (@vanHooijdonk),

    I am trying to create my own custom provider and wanted to know if you can guide me into the correct direction. Please reply back on the email address if you can. Any help will be appreciated 🙂

    Thanks,
    MNSD

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *