External Authentication providers for SharePoint 2010:
Thank you for continuing to read my blogs. It is a Sunday afternoon and the Roosters are leading Panthers 10 points to 6 in NRL, by the look of it, it has all the signs of turning into a one sided match in the second half. I thought I might write a blog about SharePoint and Single Sign On with Non-Microsoft Technologies.The Problem:
Often Organisations would like to utilise their existing stack of technologies with SharePoint. This is due to the popularity of SharePoint as a platform to consolidate and provide a range of application services either to replace an existing set of tools or compliment an existing applications suite. We fall under the latter.I am working within a truly heterogeneous environment at the moment, the extranet applications are built on a mix of technologies such as OpenText Livelink for DMS, Java and JBPM for for workflow and front end portals, Sun Directory and Oracle for User data and other DB Layer services. Single Sign On is provided through Central Authentication Services from Jasig.
Now throw SharePoint 2010 and InfoPath forms into the mix and it can be a big challenge in relation to integration, in particular authentication. Functionality of SharePoint is great, however the goal is to provide an acceptable level of user experience. Providing two sets of usernames and passwords to access different services is a no go.
At a high level, these are things one would consider
- Authentication providers
- Username and Password store – Not even considering Microsoft ASPNET DB
- Authorisation for SharePoint resources based on roles in other systems
- Keeping the user data in sync across all systems
- Initial migration of user data into SharePoint for authorisation
The Solution:
Proof Of Concept Architecture
1. User accesses the extranet and authenticates against CAS
2. Authentication Ticket is issued against trusted application
3. User accesses the SharePoint 2010 Site hosting forms to use an e-Form
4. User is redirected to STS and authenticated against Oracle or Sun Directory
Future and the ambitions:
This architecture takes advantage of the SharePoint Claim Based Authentication. Future ambition is to build a bridge which provides a true single sign on using CAS or any other SSO with support for SAML2 protocol.1. Build and Deploy STS to provide claim for SharePoint 2010
For this proof of concept I will be using a series of steps similar to Microsoft’s Claim walk through as it applies to all Claim providers. If you need detailed steps on deploying the STS, please follow this article http://msdn.microsoft.com/en-us/library/ff955607.aspxi) Create a Visual Studio Solution and Add Claim STS project.
As this is only a quick proof of concept and I hope you would agree that there is a lot more work required before this is anywhere near being production ready.
Add reference to log4Net, NHibernate and OracleDataAccess libraries
Add Global.asax.cs and initialise oracle session factory/log4net
ii) Provide implementations to authenticate users against Oracle and Sun Directory user stores
Sample login class.
Update UserInfo.cs to implement AuthenticateUser method
ii) Register the custom STS as authentication provider for the SharePoint Site
Using c#:
- Only registering email address claim and a few test users.
- The certificate exported from
- Registering the https://saststest as the claim provider for the https://test-forms site
Using PowerShell:
http://code.google.com/p/socialauth-net/wiki/sharepoint_powershell_installation
iv) Add additional claim based users into SharePoint site collection
- C#
- Call EnsureUser to push the user into the site collection
string addUserResult = createNewSharePointClaimUserForSite(“https://test-forms”, “test_sts@gmail.com”);
- PowerShell
$web = Get-SPWeb "https://test-forms"
$Group = $web.SiteGroups["test-forms Members"]
$claimPrincipal =New-SPClaimsPrincipal -EncodedClaim "i:05.t|STANDARDSSTS|test_sts@gmail.com"
$newUser = New-SPUser -UserAlias $claimPrincipal.ToEncodedString() -Web $web
$group.AddUser($newUser)
v) End to End testing of STS based authentication
- Access https://test-forms and select the sts to authenticate.
- The user test_sts@gmail.com is already registered in our Oracle based User store.
- User is authenticated and a claim has been issued against https://test-forms
2. Build and Deploy a WCF service to provide and maintain Security Groups/Users
For this proof of concept I am going to show the basics. You can of course use the SharePoint asp net web services instead of going down the path of WCF service and avoid the maintenance work which comes with this approach. Also a note of caution: This service will have to run on .NET 3.5 not 4 as SharePoint 2010 related libraries are compiled with .NET Framework 2 and it will have to be hosted on servers in your SharePoint farm.i) Create a Visual Studio 2010 solution and add a WCF service application project
- Select WCF as the project type and .NET 3.5 as the target framework
- Include references to IdentityModel,log4net and SharePoint libraries.
ii) Add CRUD interfaces to Create and Manage SharePoint security groups/users
- For the proof of concept I have the following interface methods in my ISharePointUserSvc.cs
ii) Add implementations of CRUD operations against SharePoint groups/users
- Implementation of public String createNewSharePointSecurityGroupForSite(string siteUri, string groupName) may look like the following in SharePointUserSvc.svc.cs
- I will leave the demo of calling these service methods outside this blog. Visual Studio has a nice WCF Test client if you want to test the service methods quickly.
iii) Migrate Users and Groups from CRM into SharePoint site collection
This can be done through PowerShell or code.
Other tools used for the purposes of this poc:
STSFederationMetadataGen.exe - To generate or modify federation meta data of STS.OpenSSL to generate self-signed certificates or you can use IIS7 inbuilt certificate generation utility
http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html
I would love to hear if you have done similar work or about an alternative architecture proposal.
Nice Post and really its very helpful. But I have question where we are going to call "EnsureUser to push the user into the site collection" method. We can validate the users from other sources but in the sharepoint that user must exist right so how I am going to add the users.
ReplyDeleteHello Pandu,
ReplyDeleteEnsureUser method is called with User claim. This method adds the claim user to the site collection only if they are not there already. It returns the SPUser if the user existed.
Thanks
public String createNewSharePointClaimUserForSite(string siteUri, string userEmail)
{
logger.Info("Inovoking createNewSharePointClaimUserForSite(string siteUri, string groupName, string userEmail) service with = " + siteUri + " " + userEmail);
string siteName = siteUri;
string userId = userEmail;
string completeClaimId = "i:05.t|sts|" + userId;
string returnValue = "Success";
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim userClaim = cpm.ConvertIdentifierToClaim(completeClaimId, SPIdentifierTypes.EncodedClaim);
using (SPSite theSite = new SPSite(siteName))
{
SPWeb theWeb = theSite.OpenWeb();
try
{
SPUser theUser = theWeb.EnsureUser(userClaim.ToEncodedString()); // This call adds a new claim user to the site.
}
catch (Exception ex)
{
returnValue = "Exception:" + ex.ToString();
logger.Info("Exception: createNewSharePointClaimUserForSite(string siteUri, string groupName, string userEmail) service with = " + siteUri + " " + userEmail + " " + ex.ToString());
}
}
logger.Info("Completing createNewSharePointClaimUserForSite(string siteUri, string groupName, string userEmail) service with = " + siteUri + " " + userEmail);
return returnValue;
}
Hi,
ReplyDeleteIt is very informative and very helpful on my research regarding seo techniques. Thanks for sharing this post.
Authentication Services