SharePoint 2010: Custom Claims Provider for users authenticated from different sources

One of the special features SharePoint 2010 introduced is an option to implement multiple authentication sources on the same web application. This is applicable if you are using Claim based authentication.That means you can use any/all of the following authentication options on a single web application:

  1. Windows based authentication claims (using NTLM/Kerberos)
  2. Form based authentication claims(using ASP.net membership and role provider with LDAP, SQL or any custom user sources)
  3. SAML claims (using ADFS, Live ID or your own custom STS provider)

Again, you can write Custom Claim Providers to implement additional claim tokens on top of the existing claim tokens SharePoint receives from the authentication provider.

In this example we are going to implement a custom claim provider which will be applicable for users coming from 2 different sources:

  1. Windows based authentication claims (using
    NTLM)
  2. Form based authentication (using custom
    Asp.Net membership and role provider with SQL Server)

In the following image, we are dealing with the area marked in red circle.

 
Requirement:

Contoso Inc. has implemented 2 different types of authentications (mentioned above) for their web application. They have different site collections dedicated to users who are experts on different technologies (Exchange, SharePoint, OCS).

This information of what user has what expertise is available in their SQL Server DB. They would like to use the data to make sure users have permission to specific site collections depending on their expertise.

Let’s have a look into the DB:

Following 3 tables are for their custom ASP.Net Membership and Role Provider:

 

   

Following 2 tables defines their user expertise:

 

 

If you look closely into the last table (UsersInClaims), you will see 2 different types of users there. Few are users from their FBA source and few are from AD.

Now is time to create our custom claim provider. Thanks to Steve Peschka. He made our life easier. After going through the following articles, it seems a piece of cake:

https://msdn.microsoft.com/en-us/library/ff699494.aspx

https://blogs.technet.com/b/speschka/archive/2010/03/13/writing-a-custom-claims-provider-for-sharepoint-2010-part-1.aspx

https://blogs.technet.com/b/speschka/archive/2010/03/13/writing-a-custom-claims-provider-for-sharepoint-2010-part-2.aspx

I started with an Empty SharePoint project and added a class that defines the claim provider, a farm scoped feature and also a feature receiver. The feature receiver basically helps to attach this claim provider to the farm.

The Code (SMEClaimsProvider) is given along with this document. One specific area I want to discuss here. In the method “FillClaimsForEntity” within “SMEClaims” class you can see an area where we separated the additional string tag injected by SharePoint for Windows authenticated users:

string userName = string.Empty;
if(entity.Value.Contains("0#.w"))
{
string[] strArr = entity.Value.Split('|');
userName = strArr[1];

 }

Once we deploy this solution to the Farm and activate the Farm level feature, we can go to each individual site collection and can use people picker control to add users with different claims (Exchange, SharePoint or OCS).

SMEClaimsProvider.zip

Comments

  • Anonymous
    September 28, 2011
    within a custom claims provider for sharepoint, is it possible to access the claims that were mapped and sent in the token? When we registered our SPTrustedIdentityTokenIssuer we mapped serveral claims and the external IP is sending them in the token. I can't find a way to access them in the custom provider.

  • Anonymous
    January 23, 2012
    how can create database system?