SharePoint and Identity Server

0 Flares Twitter 0 Facebook 0 StumbleUpon 0 Google+ 0 LinkedIn 0 0 Flares ×

I’ve recently taken a new and challenging role delivering SharePoint 2010 solutions (among other things). Some of the requirements I’ve been looking at have required a close look at windows identity foundation (WIF). Its a great framework – maybe a bit overwhelming to start with – but definitely rewarding in the end!

To this end I’ve been looking at delivering a cusom security token service (STS) that can be used by SharePoint 2010, that is built using WIF….enter thinktecture Identity Server (http://identityserver.codeplex.com/). This is a really great codeplex project that delivers a functioning actiove / passive sts. I’ve really only scratched the surface, but I’ll write again when I get more into it.

The second really helpful thing was a couple of blog posts by Brian Cartmel, on his SharePoint blog. The first post describes how to get SharePoint 2010 working with the thinktecture identity server, the second explains how to add extra claims to sharepoint using powershell. They’re a couple of excellent posts – I cant recommend them enough:
Part 1: http://sharepintblog.com/2011/10/23/sharepoint-claims-based-authentication-with-thinktecture-identity-server-walkthrough/#comment-141
Part 2: http://sharepintblog.com/2011/10/26/adding-additional-claims-to-a-trusted-identity-token-issuer/#comment-142

There were a couple of things to watch out for – i.e. addressing the ProviderUri to …/issue/wsfed rather than …/account/signin and a requires ssl change. But all in all they get the job done! A bug thankyou to the thinktecture team and Brian Cartmel!

Matt

, ,

  • Hi Matt,

    I think I’ve been reading a Stack Overflow question/answer started and answered by yourself related to this blog post:
    http://stackoverflow.com/questions/8215037/creating-an-custom-active-sts-for-sharepoint-2010-using-windows-identity-foundat

    I need to do exactly the same thing as you (i.e. active federation in SharePoint 2010 where the login prompt is on the homepage). Did your solution work long-term? You say in your answer you were going to blog about it, did you get round to it? If not and it did work what exactly was your solution?

    Adam

  • Hi Adam,

    Yes I did get the on-site log-in working – it wasn’t easy!! Unfortunately I didn’t get around to writing the article and I don’t have an active sharepoint deployment running right now to put something together. I can give you some pointers though.

    I essentially created a custom web part for handling the log-in, and if I remember correctly was using the thinktecture identity server as the STS. When someone hit the log-in button I executed some code that fetched the security token from the sts, and then set the principal and session token in the SharePoint site. that code looked like this:

    SecurityToken genericToken = GetSecurityToken(Username,Password);
    SPFederationAuthenticationModule.Current.SetPrincipalAndWriteSessionToken(genericToken);

    The GetSecurityToken method was important, and looked like:

    public SecurityToken GetSecurityToken(string username, string password)
    {
    string appliesToAddress = ConfigurationManager.AppSettings[“RstAppliesTo”];
    string userNameTrustBinding = ConfigurationManager.AppSettings[“UsernameTrustEndpoint”];

    var factory = new WSTrustChannelFactory(
    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
    new EndpointAddress(userNameTrustBinding))
    {
    TrustVersion = TrustVersion.WSTrust13
    };

    factory.Credentials.UserName.UserName = username;
    factory.Credentials.UserName.Password = password;

    IWSTrustChannelContract channel = factory.CreateChannel();

    RequestSecurityToken rst = new RequestSecurityToken
    {
    RequestType = RequestTypes.Issue,
    AppliesTo = new EndpointAddress(appliesToAddress),
    KeyType = KeyTypes.Bearer
    };

    GenericXmlSecurityToken genericToken = channel.Issue(rst) as GenericXmlSecurityToken;

    return genericToken;
    }

    There was more to do on the config front (i.e. developing the trust between SharePoint and the STS, but you should be able to find rough examples of this via google).

    Let me know how you get on and if you need any more help.

    Matt

The Essential App Marketing Kit
Subscribe To My Newsletter To Get an Entire Chapter From The Book for FREE
Never display this again
0 Flares Twitter 0 Facebook 0 StumbleUpon 0 Google+ 0 LinkedIn 0 0 Flares ×