This is part three of a Multi Blog post on “writing your own Trusted Identity provider / Claim Provider for SP2010“. In the first post I covered:
- Create a Custom Security Token Service with the Windows Identity Framework SDK
In the second post I covered:
- Create a Custom SPClaimProvider
- Register your Custom SPClaimProvider
In this post will:
- Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
- Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider
To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:
$invocation = (Get-Variable MyInvocation -Scope 0).Value $rootPath = Split-Path $invocation.MyCommand.Path $spClaimTypesCsv = Join-Path $rootPath "claim-types.csv" # identity provider certificate $idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt" # identity provider ca certificate $idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt" # identity provider url and name $idpPassivEndpoint = "http://stslogin.sp2010.dev/default.aspx" $idpName = "Verbondsleden" $idpDisplayName = "Verbondsleden" # sharepoint webapplication we are going to use to log in to with this identity provider $spRealm = "http://claims.sp2010.dev/_trust/default.aspx" # name of the SPClaimProvider in SharePoint we registered earlier $claimProvider = "VerbondsledenClaimsProvider" # login/username Claim Type $userIdentityClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Next we start with the creation of a trust:
"Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath $idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath) echo $idpSigningCertificate "Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath $rootCert = Get-PfxCertificate $idpSigningCertificatePath Remove-SPTrustedRootAuthority $idpName #Register the new identity provider New-SPTrustedRootAuthority $idpName -Certificate $rootCert
This adds a Trust, and you can view this in the Central Administration :
Now we create a SPTrustedIdentityTokenIssuer:
# remove if it already exists $sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName } if(-not ($sts -eq $null)) { "SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName Remove-SPTrustedIdentityTokenIssuer -Identity $idpName } # the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider [array] $claimTypeMappings = @() $spClaimType = Import-Csv $spClaimTypesCsv foreach ($claimType in $spClaimType) { "Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description $claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) { $claimTypeMappings += $claimTypeMapping } } "Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName $sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType echo $sts if($claimProvider -eq "") { "Default claim provider selected for {0}" -f $idpName } else { "Setting claim provider for {0} to {1}" -f $idpName, $claimProvider Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider }
And now we can trust our own STS in our Claims Based WebApplication:
Off course there is an App/Wizard for this also: SPFedUtil.
So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen:
Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:
Small Bonus tip: add an identity claim to a Site collection Group
$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity "user@company.com" New-SPUser $usr.ToEncodedString() -web http://claims.sp2010.dev Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname" # done
Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:
$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value $memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid New-SPUser $memberclaims.ToEncodedString() -web http://claims.sp2010.dev Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname" # done
Pingback: Writing your own Trusted Identity provider for SP2010 (2) « SharePoint Stef (@vanHooijdonk)