Writing your own Trusted Identity provider for SP2010 (3)

By | 2010-11-16

This is part three of a Multi Blog post on “writing your own Trusted Identity provider / Claim Provider for SP2010“. In the first post I covered:

In the second post I covered:

In this post will:

  • Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
  • Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider

To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:

$invocation = (Get-Variable MyInvocation -Scope 0).Value
$rootPath = Split-Path $invocation.MyCommand.Path

$spClaimTypesCsv = Join-Path $rootPath "claim-types.csv"

# identity provider certificate
$idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt"
# identity provider ca certificate
$idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt"

# identity provider url and name
$idpPassivEndpoint = "http://stslogin.sp2010.dev/default.aspx"
$idpName = "Verbondsleden"
$idpDisplayName = "Verbondsleden"

# sharepoint webapplication we are going to use to log in to with this identity provider
$spRealm = "http://claims.sp2010.dev/_trust/default.aspx"
# name of the SPClaimProvider in SharePoint we registered earlier
$claimProvider = "VerbondsledenClaimsProvider"
# login/username Claim Type
$userIdentityClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Next we start with the creation of a trust:

"Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath
$idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath)
echo $idpSigningCertificate

"Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath
$rootCert = Get-PfxCertificate $idpSigningCertificatePath
Remove-SPTrustedRootAuthority $idpName

#Register the new identity provider 
New-SPTrustedRootAuthority $idpName -Certificate $rootCert

This adds a Trust, and you can view this in the Central Administration :
Now we create a SPTrustedIdentityTokenIssuer:

# remove if it already exists
$sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName }
if(-not ($sts -eq $null)) {
	"SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName
    Remove-SPTrustedIdentityTokenIssuer -Identity $idpName

# the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider
[array] $claimTypeMappings = @()
$spClaimType = Import-Csv $spClaimTypesCsv
foreach ($claimType in $spClaimType) {
	"Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description
	$claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming
    if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) {
        $claimTypeMappings += $claimTypeMapping

"Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName
$sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType
echo $sts

if($claimProvider -eq "") {
	"Default claim provider selected for {0}" -f $idpName
} else {
	"Setting claim provider for {0} to {1}" -f $idpName, $claimProvider
	Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider

And now we can trust our own STS in our Claims Based WebApplication:
Off course there is an App/Wizard for this also: SPFedUtil.

So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen:
Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:

Small Bonus tip: add an identity claim to a Site collection Group

$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity "user@company.com"
New-SPUser $usr.ToEncodedString() -web http://claims.sp2010.dev
Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname"

# done

Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:

$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value
$memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid
New-SPUser  $memberclaims.ToEncodedString() -web http://claims.sp2010.dev 
Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname"

# done

One thought on “Writing your own Trusted Identity provider for SP2010 (3)

  1. Pingback: Writing your own Trusted Identity provider for SP2010 (2) « SharePoint Stef (@vanHooijdonk)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.