Share via


Writing your own Trusted Identity provider for SP2010 (3)

This is part three of a Multi Blog post on "writing your own Trusted Identity provider / Claim Provider for SP2010". In the first post I covered:

In the second post I covered:

In this post will:

  • Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
  • Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider

To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:

 
$invocation = (Get-Variable MyInvocation -Scope 0).Value
$rootPath = Split-Path $invocation.MyCommand.Path

$spClaimTypesCsv = Join-Path $rootPath "claim-types.csv"

# identity provider certificate
$idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt"
# identity provider ca certificate
$idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt"

# identity provider url and name
$idpPassivEndpoint = "https://stslogin.sp2010.dev/default.aspx"
$idpName = "Verbondsleden"
$idpDisplayName = "Verbondsleden"

# sharepoint webapplication we are going to use to log in to with this identity provider
$spRealm = "https://claims.sp2010.dev/_trust/default.aspx"
# name of the SPClaimProvider in SharePoint we registered earlier
$claimProvider = "VerbondsledenClaimsProvider"
# login/username Claim Type
$userIdentityClaimType = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Next we start with the creation of a trust:

 
Write-Host "Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath
$idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath)
echo $idpSigningCertificate

Write-Host "Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath
$rootCert = Get-PfxCertificate $idpSigningCertificatePath
Remove-SPTrustedRootAuthority $idpName

#Register the new identity provider
New-SPTrustedRootAuthority $idpName -Certificate $rootCert

This adds a Trust, and you can view this in the Central Administration : 
sp2010-claims-trust[1]

Now we create a SPTrustedIdentityTokenIssuer:

 
# remove if it already exists
$sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName }
if(-not ($sts -eq $null)) {
    "SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName
    Remove-SPTrustedIdentityTokenIssuer -Identity $idpName
}

# the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider
[array] $claimTypeMappings = @()
$spClaimType = Import-Csv $spClaimTypesCsv
foreach ($claimType in $spClaimType) {
    "Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description
    $claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming
    if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) {
        $claimTypeMappings += $claimTypeMapping
    }
}

"Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName
$sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType
echo $sts

if($claimProvider -eq "") {
    "Default claim provider selected for {0}" -f $idpName
} else {
    "Setting claim provider for {0} to {1}" -f $idpName, $claimProvider
    Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider
}

And now we can trust our own STS in our Claims Based WebApplication: 
sp2010-claims-webapplication-provider[1]

Off course there is an App/Wizard for this also: SPFedUtil.

So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen: 
sp2010-claims-webapplication-login[1]

Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:

sp2010-claims-webapplication-logged-in[1]

Small Bonus tip: add an identity claim to a Site collection Group

 
$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity "user@company.com"
New-SPUser $usr.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname"
# done

Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:

 
$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value
$memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid
New-SPUser  $memberclaims.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname"
# done