|
|
|
SharePoint MindsharpBlogs > Paul Schaeflein
|
| Experiences from the field |
|
Sep
01
Published: September 01, 2010 23:09 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Have you ever noticed the security paradox in computers? Most people will agree that managing Active Directory or LDAP directories is an administrative task. Not necessarily the password resets and account create (those tend to get pushed to the help desk), but the installation, configuration and general maintenance of these vital data stores is performed by the top-of-the-heap admin. (Rightly so!) However, if the authentication provider is not one of these, say an ASP.NET Membership provider (FBA), then it usually falls to the developer to configure the solution. It seems short sighted to me that the person charged with monitoring the system would wash their hands of the technology used to secure it! But, I’m not here today to change this activity. No, I am writing about a wonderful little utility that developers and admins alike can use to get up to speed on the new claims-based identity world! First, a little background. To setup claims authentication with SharePoint, you need to follow the directions on TechNet: Configure authentication using a SAML security token (SharePoint Server 2010). The big stumbling point for those just getting started – where do I find a Security Token Service Web application? The answer is either ADFS2 or the WIF SDK. Well, now you have a third, and much easier option - SelfSTS. SelfSTS is a security token service that is designed to issue tokens without a lot of configuration. For a full explanation, refer to Vittorio’s blog post. (If you are not subscribed to Vittorio’s blog, then you are not serious about claims auth!) To get SelfSTS working with SharePoint, there are a few little tweaks required outside of the steps laid out by TechNet and Vittorio. The steps below are copied and adjusted from the TechNet directions. - Extract SelfSTS and run the executable from the bin\Release directory.
- Save the X509 Certificate that SelfSTS is using
- In the browser, navigate to the federation metadata page. (Be sure to start SelfSTS first. Otherwise, you will get a DNS error.) Hint: You can copy the url of the page from the SelfSTS UI. Click the "C" next to the link.
- In the metadata page, look for a tag named X509Certificate. Copy the inner text from any of these tags and paste it into Notepad.
- Save the file in Notepad. I put mine in the SelfSTS bin\Release folder with the name SelfSTS.cer
- In the SharePoint Management Console (PowerShell), read the certificate into a variable.
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
- Map the claim that SelfSTS provides to one that is understood by SharePoint
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
- The Realm setting is used by the STS to identify the source of the authentication request. In ADFS2, there is a user interface for mapping this identifier with the url of the application. However, SelfSTS does not have such a UI. Instead, it will automatically redirect to the value provided as the realm. So, this must be the url of the SharePoint claim service.
$realm = "https://[WebApplicationUrl]/_trust/"
- You will need to tell SharePoint the url of the identity provider. This is the endpoint in SelfSTS. (I’ve listed the default value below.)
$signinurl = "http://localhost:8000/STS/Issue/"
- Now, the trusted login provider can be created as shown in the TechNet article.
New-SPTrustedIdentityTokenIssuer -Name
"SelfSTS" -Description "SelfSTS sample" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
Upon completion of these steps, the SelfSTS provider will be available for selection in the Trusted Identity Provider section when creating a new Web Application or modifying the Authentication Providers of an existing claims-based web application.
Before attempting to login to a site collection using SelfSTS, there are a few other items to address. The token signing certificate used by SelfSTS must be trusted by SharePoint. This is accomplished by the New-SPTrustedRootAuthority cmdlet in PowerShell, or via the Manage Trust link in the Security section of Central Administration. Also, be sure to grant permissions to the account provided by SelfSTS (or the all users account).
Again, the key differences when using SelfSTS is the Realm property, and that https is not required. (You are not leaving the box, so no need to incur that overhead.) Lastly, I want to point out that THIS IS FOR DEVELOPMENT PURPOSES ONLY. You should never use SelfSTS in production.
Update: Works fine under Windows 7.
Jul
08
Published: July 08, 2010 15:07 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
When VS2010 first came out in betas, one common complaint was that closing a lot of windows (for instance, after a debug session where you stepped into many different code files) required more work. The close button was moved from the right side of the tab well onto each individual tab. I’m elated to see that the Visual Studio 2010 Power Tools lets us put the close button back to where it was! 
Jun
14
Published: June 14, 2010 10:06 AM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Jun
03
Published: June 03, 2010 08:06 AM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
The Claims-based authentication abilities in SharePoint 2010 are provided by Windows Identity Foundation (WIF). Learn about WIF from one of the true experts, Vittorio Bertocci, at TechEd. Vittorio describes his sessions on his blog. Conveniently, Vittorio’s sessions are the day before my SharePoint+Claims talk.
May
11
Published: May 11, 2010 11:05 AM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Because my buddy Todd cannot make it to TechEd this summer, I am delivering the REST/LINQ talk for him. Complete details on all talks are available in the Session Catalog.
Apr
27
Published: April 27, 2010 12:04 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Are you attending TechEd in June? I'll be there presenting the following breakout session:
Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication as well as working in the learning center.
SharePoint has built-in user authorization so that a site owner can specify what access particular users have to resources. Authentication is the identification of who the user is and this is provided by other software external to SharePoint such as Active Directory. There are many authorization and authentication requirements in custom solutions and this session helps to explain the technology landscape for developers. Topics include Authorization by Claims Authentication, Anonymous Access and Blog Commenting, ASP.NET Membership Provider, and Live ID Authentication.
Be sure to stop by and say hello!
Apr
13
Published: April 13, 2010 20:04 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Quite some time ago, Amazon came out with their cloud computing offering, EC2. I found the concept fascinating and wanted to try it out. I never did though, for quite a few reasons: initially there were no Windows instances; setup and management was via command-line utilities; running the command-line required confusing (to me) encryption keys; and I don’t run Firefox so I couldn’t take advantage of the extensions. I am sure that over the years that EC2 has been around that many of these obstacles have been removed. This post is not a criticism of Amazon, but there was no way that I was going to figure out all that stuff in the little free time I had. So cloud computing was still on my “see if it can help me do my job someday” list. Today was that day. I needed to get a file from a client that was 60+ MB. Too big for email. The client has a policy forbidding the use of Mesh, and wanted to “just ftp” the file to my site. Well, I don’t have a site just lying around to receive ftp requests. Then I remembered – I can get one quickly in the cloud! Off to Amazon EC2. Instances. AMI’s. S3. Eeeek!!! I’m just a lowly developer, can I just get a remote desktop session? Then I remembered talking with Jeff DeVerter from Rackspace when I was presenting in San Antonio a few months back. They have a cloud offering, so I looked at their instructions. 1-2-3. So simple, even a developer can do it! So, I signed up; talked with the agent to confirm I really want an account; provisioned a server with Win2008r2; added the IIS Management console and the FTP service; created a local account for my client; opened the FTP ports in the firewall and gave instructions to my client in less than 1 hour. He uploaded the file, I downloaded the file and deleted the server. Because of a couple of phone calls, my cloud server was running for 1 hour and 40 minutes. Total cost: 7 cents. Now that I know the steps involved, I can script them and I bet that next time I can have the server running and configured while my client waits on the phone. (That is what us devs do best – automating those steps so they don’t get performed incorrectly!) That is certainly preferable to running a dedicated server as I did in the past. Thank you to Amazon for pioneering this concept. And a big thank you to Jeff and Rackspace for making it easy for me to use it!
Mar
08
Published: March 08, 2010 14:03 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Are you interested in using the new claims-based authorization (Windows Identity Foundation) in SharePoint? I want to hear from you! I’ve created a single-question survey that should take only a minute or two. It is anonymous. (If you want to start a dialog, contact me thru the blog or Twitter.) Thanks in advance!
Mar
08
Published: March 08, 2010 10:03 AM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Last week I had the opportunity to view the workshop put on by Mark Miller from EndUserSharePoint.com. I have to admit that I am not a real big “end user” of SharePoint. I am really an end user of Visual Studio. So it was very helpful to put myself in the shoes of others for a few hours. I have a project coming up in which I need to build a video library in SharePoint. While I’m sure that I can build something pretty fancy, I don’t want to administer this library forever. That is where this workshop helped me: What concepts/actions are comfortable for end users? What issues will they face when using my application? What features does SharePoint provide that I can reuse? So, it seems to me that EndUserSharePoint.com is not valuable only to end-users. Even bit-twiddlers like me can benefit. If you see a workshop that looks relevant to your project, I encourage you to attend. You won’t regret it!
Mar
04
Published: March 04, 2010 12:03 PM by
Paul Schaeflein
Powered by: Mindsharp and Summit 7
Thanks to my friend and MAT alum Serge, I will be speaking in Montreal at the SharePoint Summit 2010. Sadly, I don’t have the entire week to stay and visit, but I will be there Monday. If you’re at the event, please say hi!
|
|
|
|
|
|
|