Claims authentication against Windows Live ID for SharePoint 2010
The SharePoint engineering team at Fpweb.net is always striving to discover new frontiers. To declare that the impossible is… well, possible. Recently, we put our heads together to find a way to use both Live ID and Open ID as an authentication method for SharePoint Server 2010.
With the addition of the new claims based authentication framework in SharePoint 2010, SharePoint is now more loosely coupled to the authentication layer than ever. You’ve probably seen presentations or webinars where it was mentioned that you can use claims authentication against authentication providers such as Live ID and OpenID. However, the documentation for configuring Live ID authentication is relatively hard to come by.
Recently, Chris Schwab and I were working with an Fpweb.net customer that needed to use Live ID as an external authentication source for their internet-facing hosted SharePoint 2010 Server farm. They wanted to “outsource” the user account repository and password management for their site to Windows Live ID. While this lessened the burden of user account administration, they still needed to give the Windows Live users SharePoint permissions. Below is a step-by-step guide on how to set up claims authentication using Windows Live ID for SharePoint 2010.
PowerShell ISE – This can be added to your Windows 2008 R2 Server through Windows Features
Fiddler 2 – A web debugging proxy to inspect http(s) traffic between your server and Live ID STS
Configure the Windows Live ID security token service
- Login to the Microsoft Services Manager for Windows Live with your Live account.
- Click Register Your Site.
You’ll notice that you are redirected to https://msm.live-int.com.
- You are redirected to the “int” version of Live.com because your site has not been reviewed by Microsoft and has not been given the “Prod” indication (meaning your site is compliant).
- Below is a screenshot of the Microsoft Services Manager after clicking the “Register Your Site” link.
How to fill out the fields shown in the screenshot above:
- Enter in a useful description for your site.
- DNS Name:
- Enter in a value for the DNS name of your site. This must be unique and match the setting you give for realm on the SharePoint Server (I’ll give more detail on this later). For now it can be urn:whateveryouwant.
- Select Window Live ID for the policy group.
- Click Submit and then Yes on the confirmation page.
- Default Return Url:
- Override Authentication Policy (advanced settings):
Note: You will have to build your site authentication against Live-Int.com at first. Then, you’ll have to submit it to Microsoft for a compliance review. You will not be sent back real email addresses from the Live ID STS, only the PUID of the user. Once the user is authenticated to your site, they will need to enter their email/name if you need this information.
Retrieve and install the x509 certificate on the web servers
- Download this -int version of the x509 cert.
- Open it, and locate the
<KeyDescriptor use=”signing” wsu:Id=”stscer”>node.
- Copy the contents within the
- Copy the contents within the
- Create a new text file in notepad, and paste the contents into it.
- Save as
- NOTE: from here-on, we will refer to this file as the “x509 cert”
- Save as
- Import the new certificate using Start > Run > MMC
- You should see the screenshot shown below. From the File Menu, Choose:
- Add Snap-ins > Certificates > Computer Account > Next Local Computer > OK
- Import the x509 cert to all 3 places shown below:
- Trusted People
- Trusted Root Certification Authorities
Configure a SharePoint 2010 claims provider using PowerShell
$realm = "urn:andyliveid:dev"
$certloc = "C:\LiveIDPublic.cer"
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority "Production OpenID Token Signing Cert"
-Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping
–SameAsIncoming $map2 = New-SPClaimTypeMapping
$user = "email@example.com" #your unique live PUID
$apSAML = New-SPTrustedIdentityTokenIssuer
-Name "LiveIDInt" -Description "LiveIDInt"
-Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer
$apSAML -Identity $user.tolower()
Set your web app to use claims / Windows NTLM authentication
- Open SharePoint 2010 Central Administration > Application Management > Manage Web Applications > Select your Web application > Authentication Providers > Default Zone
- Select “Enable Windows Authentication”, “Trusted Identity Provider” and “LiveID”
Test your SharePoint 2010 site login with Live ID credentials
- Open the Fiddler 2 app you downloaded earlier so that it starts logging http requests and responses. This is useful for seeing what URLs SharePoint redirects you to and what the Live ID STS is sending back.
- Browse to your site on the server. You should see an authentication method drop down with Live ID and Windows as options.
If everything is setup correctly you’ll be routed to the Live-Int login page and NOT see a red error. You’ll be able to login and get redirected back to your SharePoint site where you see access denied for user firstname.lastname@example.org. This is because you haven’t given your live id account SharePoint permissions.
After you pass the Microsoft compliance review
This section provides an educated guess on what you’ll need to do in order to configure your SharePoint 2010 server to use the Prod live.com STS vs. INT.
(our Fpweb.net SharePoint 2010 team was able to skip this part since we were working hand-in-hand with Microsoft to get this authentication method working).
We assume that essentially, you’ll repeat all of the above steps but remove the “-int” from your Claims provider. You’ll also need to get the prod x509 certificate and use that to copy/paste when creating your cert on the web servers.
Update: 7/18/2011: Chris Schwab has written a helpful post about which Fpweb.net SharePoint Hosting Plans can utilize LiveID authentication!