SharePoint Trusted Identity Provider
SharePoint brings in many good things with claims-based authentication. Trusted identity provider is one of the authentication types we can use while creating a web application in SharePoint. We have forms-based authentication since long in SharePoint. However it is not standardized to the point that it can be availed at corporate level. Single web application can make use of it only. Trusted identity provider option is available while we create a web application like shown below:
The trusted identity provider issues & validates SAML token which all the claims-based applications understand. So in actual, the users, roles and permissions all can reside at one place for all the claims-based applications. So we get rid of handling the user permissions across each application separately. However, it takes enough planning to implement, so for small projects it is an over-kill. However it is worth it to use the trusted identity provider.
Using this technology, we can authenticate our application using already built systems (depending on our requirement) like Facebook, Twitter, LinkedIn etc. We can also develop our own trusted identity provider keeping in mind the business needs of the organization. Below are the steps which are required to develop our own trusted identity provider.
Our development environment should have Windows Identify Farmework (WIF). This feature can be enabled through server manager of Windows Server. If you have SharePoint 2010 .Net 3.5 will work or in case of SharePoint 2013 .Net 4 or above will do the work.
Security Token Service (STS) Website
A new website project should be created which will use WIF and authenticate the tokens issued on the login. This project is based on the STS web site template in Visual Studio. The project looks like below in Visual Studio:
In order to make this website work, we need to implement few methods. First of all we need a certificate, for development purposes we can use Self-Signing Certificate which can be generated from within IIS. This is shown below:
Once we are done with generating the certificate, open the app.config and change the settings shown below:
Following are the important aspects regarding this website:
- This is the website that will be used for login purposes, so you need to implement the login, change password and forget password functionality there.
- Also implement method ‘GetOutputClaimsIdentity’, this is the method where the claims will be generated.
- This project generates a file in the path ‘\STSWebSite\FederationMetadata\2007-06\FederationMetadata.xml’, this file is important. Any application that needs to authenticate from this STS web site need to provide this federation metadata.
Claims Provider Implementation
Now that the web site to authenticate users is ready, we need to implement the claims provider itself. In order to do that, simply create a class library in Visual Studio. One class inheriting from Microsoft.SharePoint.Administration.Claims.SPClaimProvider should be there. The methods which should be implemented are shown below:
The documentation for the above methods can be found from Microsoft site to implement these. However, in a nutshell all the claims related to the logged in user will be filled in through this claims provider. This process is called claims augmentation. As this claim provider is in a class library, we will need to load it into SharePoint by using feature to be scoped at the site level.
We can create a feature by only creating a class and inheriting it from ‘SPClaimProviderFeatureReceiver’. By implementing few methods we will be done with this. The following code shows it:
The last step is to install the certificate in the SharePoint -> Security -> Trust. Once that is there, install the feature just developed. Once it is done everything is complete for implementing a claims identify provider. Microsoft has provided a sample named WingTipSTS available here which can be used as a starting point.