Published: September 01, 2010 23:09 PM by
Have you ever noticed the security paradox in computers? Most people will agree that managing Active Directory or LDAP directories is an administrative task. Not necessarily the password resets and account create (those tend to get pushed to the help desk), but the installation, configuration and general maintenance of these vital data stores is performed by the top-of-the-heap admin. (Rightly so!)
However, if the authentication provider is not one of these, say an ASP.NET Membership provider (FBA), then it usually falls to the developer to configure the solution. It seems short sighted to me that the person charged with monitoring the system would wash their hands of the technology used to secure it! But, I’m not here today to change this activity. No, I am writing about a wonderful little utility that developers and admins alike can use to get up to speed on the new claims-based identity world!
First, a little background. To setup claims authentication with SharePoint, you need to follow the directions on TechNet: Configure authentication using a SAML security token (SharePoint Server 2010). The big stumbling point for those just getting started – where do I find a Security Token Service Web application? The answer is either ADFS2 or the WIF SDK. Well, now you have a third, and much easier option - SelfSTS.
SelfSTS is a security token service that is designed to issue tokens without a lot of configuration. For a full explanation, refer to Vittorio’s blog post. (If you are not subscribed to Vittorio’s blog, then you are not serious about claims auth!) To get SelfSTS working with SharePoint, there are a few little tweaks required outside of the steps laid out by TechNet and Vittorio. The steps below are copied and adjusted from the TechNet directions.
- Extract SelfSTS and run the executable from the bin\Release directory.
- Save the X509 Certificate that SelfSTS is using
- In the browser, navigate to the federation metadata page. (Be sure to start SelfSTS first. Otherwise, you will get a DNS error.) Hint: You can copy the url of the page from the SelfSTS UI. Click the "C" next to the link.
- In the metadata page, look for a tag named X509Certificate. Copy the inner text from any of these tags and paste it into Notepad.
- Save the file in Notepad. I put mine in the SelfSTS bin\Release folder with the name SelfSTS.cer
- In the SharePoint Management Console (PowerShell), read the certificate into a variable.
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
- Map the claim that SelfSTS provides to one that is understood by SharePoint
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
- The Realm setting is used by the STS to identify the source of the authentication request. In ADFS2, there is a user interface for mapping this identifier with the url of the application. However, SelfSTS does not have such a UI. Instead, it will automatically redirect to the value provided as the realm. So, this must be the url of the SharePoint claim service.
$realm = "http://[WebApplicationUrl]/_trust/"
- You will need to tell SharePoint the url of the identity provider. This is the endpoint in SelfSTS. (I’ve listed the default value below.)
$signinurl = "http://localhost:8000/STS/Issue/"
- Now, the trusted login provider can be created as shown in the TechNet article.
"SelfSTS" -Description "SelfSTS sample" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
Upon completion of these steps, the SelfSTS provider will be available for selection in the Trusted Identity Provider section when creating a new Web Application or modifying the Authentication Providers of an existing claims-based web application.
Before attempting to login to a site collection using SelfSTS, there are a few other items to address. The token signing certificate used by SelfSTS must be trusted by SharePoint. This is accomplished by the New-SPTrustedRootAuthority cmdlet in PowerShell, or via the Manage Trust link in the Security section of Central Administration. Also, be sure to grant permissions to the account provided by SelfSTS (or the all users account).
Again, the key differences when using SelfSTS is the Realm property, and that https is not required. (You are not leaving the box, so no need to incur that overhead.) Lastly, I want to point out that THIS IS FOR DEVELOPMENT PURPOSES ONLY. You should never use SelfSTS in production.
Update: Works fine under Windows 7.
Published: July 08, 2010 15:07 PM by
When VS2010 first came out in betas, one common complaint was that closing a lot of windows (for instance, after a debug session where you stepped into many different code files) required more work. The close button was moved from the right side of the tab well onto each individual tab.
I’m elated to see that the Visual Studio 2010 Power Tools lets us put the close button back to where it was!
Published: March 08, 2010 14:03 PM by
Are you interested in using the new claims-based authorization (Windows Identity Foundation) in SharePoint? I want to hear from you!
I’ve created a single-question survey that should take only a minute or two. It is anonymous. (If you want to start a dialog, contact me thru the blog or Twitter.)
Thanks in advance!
Published: March 01, 2010 13:03 PM by
Do you have tough technical questions regarding SharePoint for which you're seeking answers? Do you want to tap into the deep knowledge of the talented Microsoft Most Valuable Professionals? The SharePoint MVPs are the same people you see in the technical community as authors, speakers, user group leaders and answerers in the MSDN forums. This is the first time we have brought these experts together as a collective group to answer your questions live. So please join us and bring on the questions! This chat will cover WSS, MOSS and the SharePoint 2010 beta. Topics include setup and administration, design, development and general questions.
Monday, March 15, 2010
9:00 – 10:00 A.M. Pacific Time
12:00 - 1:00 P.M. Eastern Time
16:00 - 17:00 GMT
Join the chat room on the day of the chat:
Published: February 15, 2010 14:02 PM by
I am excited to announce that I am hosting a SharePoint 2010 Community Launch event in conjunction with The Chicago Microsoft SharePoint Business Strategies Group.
We will have a short overview of SharePoint 2010 followed by a presentation on Enterprise Content Management by SharePoint MVP Ben Curry.
Come see the new Enterprise Content Management functionality in SharePoint Server 2010. Have you ever wanted to replicate a content type across many site collections with the click of a button? Have you wanted a centralized taxonomy that was easy to manage? Do you want to save time & money managing your information architecture? In SharePoint Server 2010, Enterprise Content Types and Metadata provide much more robust methods of data classification, retention, retrieval, and consumption. The agenda will include Content Type Syndication, Creating and Managing a Term Store, and integrating these solutions into sites, libraries, and Office 2010 applications.
Ben Curry (SharePoint MVP, CISSP, MCT, MCP, MCTS) is an enterprise architect specializing in knowledge management and collaboration technologies. As a Managing Consultant for Summit 7 Systems, Ben draws on his years of experience to manage the most demanding projects and system architectures while delivering powerful customized solutions based on the Microsoft Information Worker platforms. He has authored or co-authored 4 books on SharePoint Server, including SharePoint Server 2007 Best Practices and the forthcoming SharePoint Server 2010 Administrators' Pocket Consultant, both by Microsoft Press.
Registration is now open.
Published: December 09, 2009 01:12 AM by
Published: July 13, 2009 09:07 AM by
Published: February 22, 2009 18:02 PM by