Integrating Windows Live ID, Google and Facebook Accounts with SharePoint 2013 - White Paper
Federated authentication mechanism handles authentication by external providers which send the token back to SharePoint. So, Instead of we, creating accounts internally (in AD, SQL Server) for external users and partners, We can make use of external authentication providers like Microsoft Live ID Accounts, Google, Yahoo, Facebook accounts (or even external Active Directory - ADFS ) to manage authentication. Its extremely useful with public facing SharePoint sites, isn't it?
This article walks through step by step on integrating Windows Live ID, Google and Facebook account authentications with SharePoint 2013.
To start with, Here are the steps in summary:
- We need Windows Azure ACS (Access Control Service) as our Trusted Identity provider. Subscribe and get one.
- Add new Identity Provider for SharePoint 2013 with PowerShell.
- Authorize users by granting them access to the web application.
Step 1: Configure Azure ACS with required Providers:
Create a Windows Azure Account
We need Windows Azure Access Control Service (ACS) to handle authentication from external entities. From ACS we can to choose Providers like Microsoft Live ID, Google , etc. Create a windows Azure Account - Subscribe for Azure (you must have a Microsoft Live ID & may need credit card).
Go to: https://www.windowsazure.com/en-us/ and register a new account.
http://3.bp.blogspot.com/-qPGZamiYVds/Uoy0FPFmA_I/AAAAAAAAD6g/MIlrKr4swMQ/s640/windows+azure+signup.png
I registered a Trial account with Azure. If you are part of any Windows Azure user groups, you can obtain a free coupon and get Windows Azure 30 days free pass at: http://www.windowsazurepass.com/
Create New Azure Access Control Service
- Login to Windows Azure Portal, Click on "New" link from the footer pane >> App Services >> Active Directory >> Access Control >> Quick Create. Provide Namespace and location for your ACS service. http://1.bp.blogspot.com/-z-f50napLDs/Uoy0vyn-efI/AAAAAAAAD6o/WoT_gquXtt4/s640/create+new+Azure+ACS+service.png
- Once the service is created and activated, Select the ACS and Click on "Manage" link from the footer pane. This takes us to the ACS configuration page. http://4.bp.blogspot.com/-XpCWR0voYqI/Uoy1NIISO2I/AAAAAAAAD6w/epWN4Ek4YHI/s640/manage+azure+ACS+service.png
Configure Azure ACS
There are four settings we got to configure in ACS.
- Identity providers
- Relying party applications
- Rule groups
- Certificates and keys
Proceed to the below configurations one by one.
1. Identity Providers:
- To start with, click on "Identity Providers" link - You'll notice "Windows Live ID" already listed there. You can add additional providers by clicking "Add" link in Identity Providers Tab. Lets Add "Google" http://1.bp.blogspot.com/-ih8qCDTmOR0/Uoy4gUGLT5I/AAAAAAAAD7g/C644ooSuIis/s1600/add+new+identity+provider.png
- From the list, Choose "Google" and click on "Next" button http://4.bp.blogspot.com/-zH49-EJrlYk/Uoy4xQWOTmI/AAAAAAAAD7o/X_IUbaeJwFc/s640/add+google+identity+provider.png
- Click Save button to complete the changes. http://2.bp.blogspot.com/-ceziSQ7n5cA/Uoy5EjeasuI/AAAAAAAAD7w/zq4H-vHrGZU/s1600/Add+gmail+accounts+in+SharePoint+2013.png
Integrate Facebook Authentication with SharePoint 2013:
For Facebook accounts integration with SharePoint 2013, We need to do one more step: Create New Application in Facebook and then add the provider as Facebook in ACS.
- Go to Facebook Apps, https://developers.facebook.com/apps
- Create new Facebook Application http://2.bp.blogspot.com/-utliuyHMAhY/Uoy28EFT1mI/AAAAAAAAD7E/RGDLIOhCip0/s1600/create+new+app.png
- Give it a App Name and App Namespace. Click on "Continue"
http://1.bp.blogspot.com/-KRmFaAbjoVw/Uoy3X5vTs7I/AAAAAAAAD7U/CYP4ptPEN04/s1600/Create+Facebook+Application+for+sharepoint+2013+Login.png - Provide the Website with Facebook Log-in as: https://{your ACS Namespace}.accesscontrol.windows.net http://4.bp.blogspot.com/-jd6QoWOu1Hg/Uoy3AiKfYTI/AAAAAAAAD7M/JLpchSeTL5o/s1600/configure+facebook+app+settings.png
- Click Save Changes.
Now, in ACS:
- Add new "Facebook Application" identity provider and Click Next http://3.bp.blogspot.com/-GdJ9K5tHmuQ/Uoy5o6aaFTI/AAAAAAAAD74/xxi6kgMnOhw/s1600/add+facebook+identity+provider+in+ACS.png
- Enter Application ID, Application Secret values from Facebook application.http://4.bp.blogspot.com/-oueEZmxYtms/Uoy6HEyhcZI/AAAAAAAAD8A/5AhtqheF7vo/s640/setup+facebook+app+settings+in+acs.png
- Click on save to complete your changes. Now our identity providers page contains these three identity providers: http://1.bp.blogspot.com/-gokCQRDYQ-I/Uoy7d6EOPSI/AAAAAAAAD8M/WoAQp_QYj8M/s640/identity+providers.png
2. Relying party applications:
Relying party application is generally a web site or application that uses ACS for Authentication. Here in our case, Its our SharePoint site. So, Lets create a Relying party Application.
- Go to Relying Party Applications Tab, Click on "Add"
- Enter the below parameters: Give it a Name (can be anything)
- Specify the "Realm" as your SharePoint Web Application's URL (Say: http://extranet.crescent.com")
- In Return URL, Just append /_trust , So, in our case, Its: http://extranet.crescent.com/\_trust
- Token format should be SAML 1.1
- Set the Token timeout value to 3600
- Make sure "Create new rule Group" is checked and click "Save" button http://4.bp.blogspot.com/-NGfYRtaHLCM/Uoy8r_kwPrI/AAAAAAAAD8U/f5Vc46M1nOs/s1600/relying+party+applications+settings.png
3. Rule groups:
- Click on "Default Rule Group for http://extranet.crescent.com" http://3.bp.blogspot.com/-f-VnDdN8u08/Uoy-LWDmTOI/AAAAAAAAD8g/6Q2jdXYwwbA/s1600/edit+default+rule+group.png
- Under rules, You'll get a message: "No rules have been added. Click on "Generate" link just above "Rules" sectionhttp://3.bp.blogspot.com/-PhjNn9oqjqk/Uoy-L6oIq_I/AAAAAAAAD8w/j_qSQZjylK4/s1600/generate+rule+group.png
- Select the providers, Hit Generate button again on the apps presented. Click on "Save"http://3.bp.blogspot.com/-qf6GFIOxCJM/Uoy-LZRG8II/AAAAAAAAD8k/DP_Tb-pN-DM/s1600/generate+rule+group+2.png
- If you visit the default Rule group again, You will see the mapping fields used by these providers.http://4.bp.blogspot.com/-PbczywyPVMo/Uoy-Ld_5QeI/AAAAAAAAD8o/KVti3RaS4yU/s1600/Edit+Rule+Groups.png
You can also map additional properties from providers.
4. Certificates and keys:
We have to Encrypt the traffic between ACS and our SharePoint environment by exchanging certificate between Azure ACS and SharePoint. So, we need a Digital certificate. You can create SSL certificate from development environments with MakeCert.exe.
MakeCert.exe is part of Windows SDK. You can download it from: http://go.microsoft.com/fwlink/p/?linkid=84091 .MakeCert lives under: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\BinSo, in command prompt: enter:
**
C:\cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"**
MakeCert.exe -r -pe -n "CN=crescent.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 11/15/2014
This will generate the certificate and install it automatically to the trusted certificate store. Or you can use:
MakeCert.exe -r -pe -n "CN=crescent.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 11/15/2014 -sv "c:\Extranet.pvk" "c:\Extranet.cer "
If makecert.exe is not available, Use IIS self signed certificate creation with the specified common name, and the export the .CER & PFX files from Certificates Snap-in through MMC.
Import the Certificate to ACS:
- Once certificate is generate, on the certificates and keys tab, Click on "Add link" http://3.bp.blogspot.com/-NOJEn7f6LTg/Uoy_sgVxsHI/AAAAAAAAD9M/FE2ABZ_ppDI/s640/add+certificates+and+keys.png
- Browse to the certificate created (.pfx), provide password of it and then click "Save"http://4.bp.blogspot.com/-NJ5F0l5RnZE/Uoy_sihrxuI/AAAAAAAAD9I/wU84DxofTlc/s640/assign+certificate.png
Warning: MakeCert.exe is not recommended for Production environments!
Step 2: Add new Trusted identity Provider as Azure ACS
We've our authentication providers ready now! We've make SharePoint aware by creating a new "Trusted Authentication Provider". Here is the PowerShell script to create new trusted authentication provider.
Add-PSSnapin Microsoft.SharePoint.PowerShell#Realm we created in Azure$realm = "http://extranet.crescent.com" #Replace "crescent.accesscontrol.windows.net" and "extranet.crescent.com" with yours here!$signinurl = "https://crescent.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fextranet.crescent.com%2f" #Location of the certificate generated with Makecert.exe$certloc = "C:\extranet.crescent.com.cer"$rootcert = Get-PfxCertificate $certlocNew-SPTrustedRootAuthority "Windows Azure ACS" -Certificate $rootcert $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc) #Map the Fields from Rules Created for All Providers: Facebook , Google & Live ID# NameIdentifier Field$NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"# Email Field$Email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming#Given Name Field$GivenName = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "Display Name" –LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"$AccessToken = New-SPClaimTypeMapping -IncomingClaimType "http://www.facebook.com/claims/AccessToken" -IncomingClaimTypeDisplayName "Access Token" -SameAsIncoming$Expiration = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration" -IncomingClaimTypeDisplayName "Expiration" -SameAsIncoming #Create New Trusted Identity ProviderNew-SPTrustedIdentityTokenIssuer -Name "Live ID/Google/Facebook" -Description "Live ID/Google/Facebook" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier, $Email, $GivenName, $AccessToken, $Expiration -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" # IdentifierClaim defines the Field to display on User Name# E.g. If you use only Google: New-SPTrustedIdentityTokenIssuer -Name "Google Account" -Description "Google Account" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier,$Email,$GivenName -SignInUrl $signinurl -IdentifierClaim $Email.InputClaimType# Make sure that the IdentifierClaim is common for all providers, if you are using more than one!
Step 3: Authorize users by granting them access to the web application.
Associate Authentication provider to the target web Application:
- Go to Central Admin >> Application Management >> Manage Web Applications
- Select the web application you want to enable Federated Authentication
- Click on "Authentication Providers" from Ribbon >> Click on 'the "Default" link >> Scroll down
- Enable "Live ID/Google/Facebook" under "Trusted Identity Provider section http://1.bp.blogspot.com/-DmPI5L58_fc/UozC1zswGKI/AAAAAAAAD-U/rbuqH1w9zAo/s640/edit+authentication+provider.png
Grant Users Access:
So the authentication part is over. we've to handle authorization from SharePoint side, as we do for Windows AD accounts. Lets create a user policy to grant all users of the trusted identity provider to Read access to all sites in the web application (Otherwise, They'll get "Access denied" error message.
- Go back to Manage web applications page, Click on "User Policy" button from the ribbon.
- Click on Add Usershttp://3.bp.blogspot.com/-DYsSDK0bj3c/UozBqedWa6I/AAAAAAAAD-E/9sdBxJffALs/s640/web+app+policy+policy.png
- Choose All zones and click Nexthttp://4.bp.blogspot.com/-4GrgSP0v1W4/UozBqQvnAcI/AAAAAAAAD94/vVnc54nyBUs/s640/add+users+to+all+zone.png
- Under Uses section, Browse and select "All Users" http://3.bp.blogspot.com/-USN13S8-EHQ/UozBqA1eNsI/AAAAAAAAD90/44Jhz-GvIgM/s1600/grant+access+to+all+users.png
- Select "Full Read" permission and Click Finish. http://3.bp.blogspot.com/-qmq_B4xokzs/UozBqEKNIGI/AAAAAAAAD98/IjMdJgIWiv4/s1600/add+all+users+in+Web+application+policy.png
Unit Test:
That's all! we are done!!
- Hit the SharePoint Web Application URL. Users presented with login page.http://2.bp.blogspot.com/-QkBAoiwUQ-U/UozBY4xj88I/AAAAAAAAD9o/oA529FcWaUU/s1600/sign+in+screen.png
- From the list, choose "Windows Live ID/Google/Facebook"http://1.bp.blogspot.com/-rpdyHBRURT8/UozBYH7CHwI/AAAAAAAAD9g/bEZ0SRRSWqk/s1600/choose+auth+provider+to+signin.png
- Choose the appropriate login provider which takes us to the appropriate login screens.
Verify users are able to access SharePoint site with Google & Facebook accounts. Here are some screen shots:
http://4.bp.blogspot.com/-P5uT8D_jSvk/UoyyVQ-5eyI/AAAAAAAAD6U/rSGBkhJQ-tQ/s640/SharePoint+2013+Login+with+Google+Account.png
Source: http://www.sharepointdiary.com/2013/11/integrating-live-id-google-facebook-accounts-with-sharepoint-2013.html