Thursday, September 29, 2016

Windows Live ID as an Authentication Provider for SharePoint On Premise


This article discusses the steps that enable the Microsoft Live ID as an authentication provider for SharePoint 2013 On Premise using Microsoft Azure Active Directory
Environment: SharePoint 2013 Enterprise (on premise), Visual Studio 2012, Microsoft Azure
SharePoint does not have a build in option to configure Windows Live ID as Identity Provider, so we need to Setup ACS (Access Control Service) and add Windows Live ID as identity provider. Azure Access Control Service can be used to authenticate your SharePoint 2013 users with Azure AD. In this configuration Azure AD becomes a trusted identity provider for SharePoint 2013.
The following figure shows how authentication works for SharePoint 2013 users in this configuration.
SAML Authentication with Windows Live ID

References:

Following are the steps to setup Azure ACS.
  1. Create a new Azure AD tenant
Create Azure AD Tenant

Add Directory
  1. Create new namespace
Create new namespace

Azure - create new namespace
Active Directory - Azure
Access Control Namespace

  1. Click Manage to navigate to Azure ACS Management Portal
Azure ACS Management Portal
  1. To add a WS-Federation identity provider to the namespace, Click on Identity Providers link under Trust relationships section, click Add, select Windows Live ID and click Next button
Azure ACS Identity Providers
  1. To add SharePoint as a relying party application, click on Relying party applications link under Trust relationships section, click Add and provide details about your SharePoint web application.
Azure ACS  Relying Party Applications
Azure ACS  Relying Party Applications
  1. Create a rule group for claims-based authentication
Azure ACS  Rule Groups
  1. Click Add to create a new Rule Group, click Generate and make sure that a rule is created to the group to pass nameidentifier as nameidentifier, as illustrated by the following figure.
Azure ACS  Rule Groups input and output claims
Azure ACS  Edit Rule Group


  1. Map the new Rule group to the replying party application
Azure ACS  Map Rule Group

  1. Click on Add under Certificates and Keys section to configure the X.509 certificate.
Azure ACS Certificates and Keys
Azure ACS Add Token Signing Certificate and Keys
  1. Execute the PowerShell script provided in the Add Token-Signing Certificate or Key page to create a certificate.

MakeCert.exe -r -pe -n "CN=cpazureacs.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 09/23/2017
Navigate to MMC > File > Add/Remove Snap-in > select Certificates > click Next > Select My User Account > click Finish to add Certificates in Selected Snap-ins > click Ok.
MMC > Expand Certificates - Current User > Personal > Certificates > select the appropriate namespace > select Export > click Next > select Yes, export the private key > select Personal Information Exchange > click Next > provide password and click Next > Provide Path to export the certificate and click Next > click Finish
Azure ACS Export Certificates
  1. Upload the certificate and Save
Azure ACS Upload Certificate

Azure ACS Certificate and Keys
Azure ACS Login Page URL
Execute the following line of PowerShell script to create a trusted identity provider and add in to SharePoint.

#the sign in URL can be copied from Application Integration > Login Page Integration

#Certificate location
$certloc = "D:\cpazureacs.cer"

$rootcert = Get-PfxCertificate $certloc

New-SPTrustedRootAuthority "Windows Azure ACS" -Certificate $rootcert

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)

$NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

$Email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming

New-SPTrustedIdentityTokenIssuer -Name "Live ID" -Description " Live ID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier, $Email, -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

  1. Set Windows Live ID as trusted Identity Provider for the Web Application
Set Windows Live ID as Identity Provider
Set Windows Live ID as Identity Provider
  1. Grant permission to access the Web Application
Grant user permission
  1. Login to the Web Application with live ID.
SAML based Windows Live ID Authentication
SAML based Windows Live ID Authentication Login Page

SAML based Windows Live ID Authentication
SAML based Windows Live ID Authentication User Information
Note that the user name is showing some characters and not the user name or email address. This is because the Windows Live ID does not provide user details and send only name identifier in the SAML Assertion/Response. You can check the SAML Assertion sent in the response using Fiddler tool.
SAML Assertion from Fiddler

In order to get the user name and email address, we can use the Live Connect API. We need to create an ‘application’ on Live Connect and get the client Id of your application. This client Id is used to get the user data with the help of Live SDK.
Following is the URL of the blog post by Martin Laukkanen, which has a sample code and steps that can be used to get the user name and email address of a Live ID user. You can extend the sample as per your requirement.
Screen shots after adding the sample web part to update the user details.
Register application in Windows App
Get Windows Live ID user information
Get Windows Live ID user information using Live Connect SDK

1 comment:

  1. Good Article. Does this mean i have give permissions to individual users. What if i want to give permissions to bulk users? One more query...I have SharePoint site hosted on Azure VM and want to make that site accessible to organisation employees. what could be the approach?

    ReplyDelete