Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This is part three of a Multi Blog post on "writing your own Trusted Identity provider / Claim Provider for SP2010". In the first post I covered:
- Create a Custom Security Token Service with the Windows Identity Framework SDK
In the second post I covered:
- Create a Custom SPClaimProvider
- Register your Custom SPClaimProvider
In this post will:
- Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
- Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider
To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:
$invocation = (Get-Variable MyInvocation -Scope 0).Value
$rootPath = Split-Path $invocation.MyCommand.Path
$spClaimTypesCsv = Join-Path $rootPath "claim-types.csv"
# identity provider certificate
$idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt"
# identity provider ca certificate
$idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt"
# identity provider url and name
$idpPassivEndpoint = "https://stslogin.sp2010.dev/default.aspx"
$idpName = "Verbondsleden"
$idpDisplayName = "Verbondsleden"
# sharepoint webapplication we are going to use to log in to with this identity provider
$spRealm = "https://claims.sp2010.dev/_trust/default.aspx"
# name of the SPClaimProvider in SharePoint we registered earlier
$claimProvider = "VerbondsledenClaimsProvider"
# login/username Claim Type
$userIdentityClaimType = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Next we start with the creation of a trust:
Write-Host "Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath
$idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath)
echo $idpSigningCertificate
Write-Host "Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath
$rootCert = Get-PfxCertificate $idpSigningCertificatePath
Remove-SPTrustedRootAuthority $idpName
#Register the new identity provider
New-SPTrustedRootAuthority $idpName -Certificate $rootCert
This adds a Trust, and you can view this in the Central Administration :
![sp2010-claims-trust[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0272.sp2010-claims-trust1_14B10BA5.png "sp2010-claims-trust[1]")
Now we create a SPTrustedIdentityTokenIssuer:
# remove if it already exists
$sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName }
if(-not ($sts -eq $null)) {
"SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName
Remove-SPTrustedIdentityTokenIssuer -Identity $idpName
}
# the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider
[array] $claimTypeMappings = @()
$spClaimType = Import-Csv $spClaimTypesCsv
foreach ($claimType in $spClaimType) {
"Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description
$claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming
if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) {
$claimTypeMappings += $claimTypeMapping
}
}
"Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName
$sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType
echo $sts
if($claimProvider -eq "") {
"Default claim provider selected for {0}" -f $idpName
} else {
"Setting claim provider for {0} to {1}" -f $idpName, $claimProvider
Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider
}
And now we can trust our own STS in our Claims Based WebApplication:
![sp2010-claims-webapplication-provider[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/5327.sp2010-claims-webapplication-provider1_7DA28A68.png "sp2010-claims-webapplication-provider[1]")
Off course there is an App/Wizard for this also: SPFedUtil.
So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen:
![sp2010-claims-webapplication-login[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0118.sp2010-claims-webapplication-login1_60D8EF86.png "sp2010-claims-webapplication-login[1]")
Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:
![sp2010-claims-webapplication-logged-in[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0537.sp2010-claims-webapplication-logged-in1_656EFA40.png "sp2010-claims-webapplication-logged-in[1]")
Small Bonus tip: add an identity claim to a Site collection Group
$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity "user@company.com"
New-SPUser $usr.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname"
# done
Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:
$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value
$memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid
New-SPUser $memberclaims.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname"
# done