Writing your own Trusted Identity provider for SP2010 (3)
This is part three of a Multi Blog post on "writing your own Trusted Identity provider / Claim Provider for SP2010". In the first post I covered:
- Create a Custom Security Token Service with the Windows Identity Framework SDK
In the second post I covered:
- Create a Custom SPClaimProvider
- Register your Custom SPClaimProvider
In this post will:
- Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
- Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider
To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:
$invocation = (Get-Variable MyInvocation -Scope 0).Value
$rootPath = Split-Path $invocation.MyCommand.Path
$spClaimTypesCsv = Join-Path $rootPath "claim-types.csv"
# identity provider certificate
$idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt"
# identity provider ca certificate
$idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt"
# identity provider url and name
$idpPassivEndpoint = "https://stslogin.sp2010.dev/default.aspx"
$idpName = "Verbondsleden"
$idpDisplayName = "Verbondsleden"
# sharepoint webapplication we are going to use to log in to with this identity provider
$spRealm = "https://claims.sp2010.dev/_trust/default.aspx"
# name of the SPClaimProvider in SharePoint we registered earlier
$claimProvider = "VerbondsledenClaimsProvider"
# login/username Claim Type
$userIdentityClaimType = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Next we start with the creation of a trust:
Write-Host "Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath
$idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath)
echo $idpSigningCertificate
Write-Host "Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath
$rootCert = Get-PfxCertificate $idpSigningCertificatePath
Remove-SPTrustedRootAuthority $idpName
#Register the new identity provider
New-SPTrustedRootAuthority $idpName -Certificate $rootCert
This adds a Trust, and you can view this in the Central Administration :
![sp2010-claims-trust[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0272.sp2010-claims-trust1_14B10BA5.png "sp2010-claims-trust[1]")
Now we create a SPTrustedIdentityTokenIssuer:
# remove if it already exists
$sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName }
if(-not ($sts -eq $null)) {
"SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName
Remove-SPTrustedIdentityTokenIssuer -Identity $idpName
}
# the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider
[array] $claimTypeMappings = @()
$spClaimType = Import-Csv $spClaimTypesCsv
foreach ($claimType in $spClaimType) {
"Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description
$claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming
if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) {
$claimTypeMappings += $claimTypeMapping
}
}
"Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName
$sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType
echo $sts
if($claimProvider -eq "") {
"Default claim provider selected for {0}" -f $idpName
} else {
"Setting claim provider for {0} to {1}" -f $idpName, $claimProvider
Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider
}
And now we can trust our own STS in our Claims Based WebApplication:
![sp2010-claims-webapplication-provider[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/5327.sp2010-claims-webapplication-provider1_7DA28A68.png "sp2010-claims-webapplication-provider[1]")
Off course there is an App/Wizard for this also: SPFedUtil.
So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen:
![sp2010-claims-webapplication-login[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0118.sp2010-claims-webapplication-login1_60D8EF86.png "sp2010-claims-webapplication-login[1]")
Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:
![sp2010-claims-webapplication-logged-in[1]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/44/44/metablogapi/0537.sp2010-claims-webapplication-logged-in1_656EFA40.png "sp2010-claims-webapplication-logged-in[1]")
Small Bonus tip: add an identity claim to a Site collection Group
$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity "user@company.com"
New-SPUser $usr.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname"
# done
Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:
$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value
$memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid
New-SPUser $memberclaims.ToEncodedString() -web https://claims.sp2010.dev
Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname"
# done