Recently I wrote a post about my experience setting up Windows Live ID authentication with SharePoint 2010. This time around I am going to talk about a feature of Windows Azure AppFabric called Access Control. By using Windows Azure AppFabric Access Control with SharePoint I can allow users to authenticate not only by Windows Live ID and Active Directory but also Google, Yahoo! and Facebook!
Since there are several steps for configuring SharePoint 2010 with Windows Azure Access control I have broke the post up into two parts. The first part covered the Windows Azure AppFabric configuration and this part will cover the SharePoint 2010 configuration.
Previously we configured Windows Azure AppFabric and created a self-signed certificate used to encrypt the SAML token that will be passed back to SharePoint. We now need to configure a trusted provider in SharePoint 2010 that will connect out to our Windows Azure AppFabric service.
- First we need to export our self-signed certificate again but this time without the private key included.
- As an administrator, click Start, type the following into the Search box, and then press Enter:
- In the MMC console, click File, and then click Add/Remove Snap-in.
- Select Certificates, and then click Add.
- Select My user account, and then click Finish.
- To close the Add Standalone Snap-in dialog box, click OK.
- In the console, double-click Certificates – Current User.
- In the console, expand Personal, and then expand Certificates.
- Right-click the certificate you created previously. Click All Tasks, and then click Export to start the Certificate Export Wizard.
- On the Certificate Export Wizard Welcome page, click Next.
- On the Export Private Key page, select No, export the private key, and then click Next.
- On the Export File Format page, ensure that the option DER encoded binary X.509 (.CER) is selected.
- In the Password fields, enter a password (twice), and then click Next.
- In the File name field, enter Azure-Dev, and then click Next. I recommend that you create a c:\temp folder and export the certificate there. It will make future steps easier.
- Click Finish.
- Copy the following PowerShell Script code and paste it into Notepad. You will be making a few minor changes to this script.
- add-pssnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue
$certloc = "C:\temp\Azure-Dev.cer"
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority -Name "Azure Token Signing Cert" -Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/claims/UPN"
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email Address" -SameAsIncoming
$realm = "urn:fabrikamspdemo:spub"
$signInUrl = "https://fabrikam.accesscontrol.appfabriclabs.com:443/v2/wsfederation"
$ap = New-SPTrustedIdentityTokenIssuer -Name "Azure ACS" -Description "SharePoint secured by Azure" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signInUrl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
- Modify the script you just placed into Notepad using the guidance below:
- Ensure that the $certloc path is correctly pointing at the certificate we exported in step #1.
- Modify the $ream variable and replace urn:fabrikamspdemo:spub with the realm you specified when creating the Windows Azure AppFabric service. You can find this value in the Relaying party application settings inside the Windows Azure Access Control Service portal.
- Modify the $signInUrl variable. Replace fabrikam in the URL with your Windows Azure Service Namespace. You can find the namespace by looking in the silver bar on the top of the Windows Azure Access Control Service portal.
- Save the script to your temp directory and name it Azure.ps1
- Open up PowerShell as an administrator.
- Switch to the temp directory where your Azure.ps1 file is located
- Run the script by typing .\Azure.ps1 and then pressing enter. The script should complete without any errors.
- You will now create a new SharePoint 2010 web application for use with the Azure ACS authentication.
Open up SharePoint 2010 Central Administration and click on the Manage web applications link.
- Click New in the ribbon bar to create a new web application.
- Fill out the Create New Web Application using the following guidance below and then click OK.
- Authentication - choose Claims Based Authentication
- IIS Website – choose to create a new IIS web site. Enter in a name and set the port to 443. (used for SSL)
- Security Configuration - Set allow anonymous to No and use Secure Socket Layer to Yes.
- Claims Authentication Types - Choose Enable Windows Authentication, Integrated Windows authentication and select NTLM from the drop down. Also choose Trusted Identity Provider and then select Azure ACS.
- Sign In Page URL – Select Default Sign In Page
- Specify appropriate values in the Public URL, Application Pool and Database Name and Authentication sections based upon your preferences.
- After the Web Application is created you will need to create your site collection. Ensure that your personal Windows Account is added as the primary site collection administrator. This will ensure that you will have full permissions on the site collection. If your Windows Account does not properly resolve when you type it into the text box, click on the squiggly red line, it should display your Active Directory account. Choose it.
- The final step is to configure the IIS web application we just created with the proper SSL certificate. In this example we will create a self-signed certificate and use that.
- Open IIS manager and select the server node.
- Under the IIS grouping double click on Server Certificates
- On the right hand side under Actions choose Create Self-Signed Certificate.
- Enter a name for your certificate and click OK.
- On the left, select your web application you just created in SharePoint.
- On the right select bindings… (under the edit site heading)
- Select the HTTPS binding and click Edit
- In the SSL Certificate drop down box, choose the certificate you just created and then click OK.
- Click Close on the Site Bindings dialog box.
This concludes the configuration of SharePoint 2010 for use with the Windows Azure Access Control Service. Open up a browser and navigate to your new SharePoint web application. Do not forget to use HTTPS. If you are using a self-signed certificate for SSL you may see the message shown below. Just click continue to this website.
You should now see the following authentication selection screen:
Choosing Azure ACS will redirect you to the Windows Azure authentication selection screen.
Here is where your users can choose Windows Live ID, Google or Yahoo!. Clicking on one of the options will present you with the corresponding log in page. Once the user enters in their credentials they will be redirected back to your SharePoint site. If they have been given proper permissions on the site then they will see the site content otherwise they may see the SharePoint access denied message.
Below is a screen shot of a user that has logged in using their Google ID.
In a future post I will provide a few tips on using Windows Azure Access Control Service, including how to give users permissions to your SharePoint sites.