In this series of post I will talk about how to allow Windows Live users to login to an internet facing SharePoint 2010 site. Most of the information can be found online, but I am putting them here in a form of a series to make it easy for who ever wants to implement the integration to find the information easily.
The first part of the series would be how to register and configure the site to use Windows Live ID as an authentication provider.
Registering with Windows Live ID
To use Windows Live ID authentication, the site should be registered first using the Microsoft Service Manager web application located at http://msm.live.com. Below are the steps needed to register the website for Windows Live ID Authentication
1. In your browser, browse to http://msm.live.com
2. Login to the website using an already registered Windows Live ID. This Windows Live ID will be the main ID that will be used to manage the Windows Live ID registration.
3. In the left menu, click on Register Your Site
4. A page will open where you need to enter the name of the site and the DNS Name
5. Choose Windows Live ID
6. Click Submit
7. On the confirmation page, click Yes.
8. The below screen will appear
9. Click on Go to Manage your Site link.
10. In the drop-down list, select the site that was just registered and the click on Modify Editable Site Properties
11. In the next screen, check the Show advanced properties check box to enable more options
12. Enter the values in the fields that appear on the screen (Replace the below with your own domain) Domain Name: contoso.com DNS Name: urn:contososharepoint:int Default Return URL: https://contoso.com/_trust/default.aspx Expire Cookie URL: https://contoso.com/wlid/expirecookie.aspx
13. Scroll down until you see the Override Authentication Policy. Select MBI_FED_SSL from the dropdown.
14. Scroll up to the page and click the Submit button.
15. On the next screen, note down all the information on the screen, and then click the Yes button.
Claims based authentication uses certificates for encryption and signing and we have to trust the certificate of the IP on the SharePoint servers. The following steps must be done on all WFE's in the farm.
1. To get the IP Certificate, browse to the federation metadata URL https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml
2. Select and copy the text from the first X509Certificate node
3. Make sure to select only the inner text, excluding the <X509Certificate></X509Certificate> tags.
4. Open Notepad application, paste the text and then save the file as LiveID-INT.cer. We now have the certificate in a file and we need to import it to the correct locations on the SharePoint Servers.
5. On the WFE server, press Window Key + R on the keyboard and then type mmc.exe and press enter to open up the management console.
6. Add the Certificates snap-in to the management console. Choose Computer Account to manage and then select to use the Local Computer as computer to manage
7. Expand the tree until your reach SharePoint > Certificates. Right click on the node and select All Tasks > Import…
8. In the import wizard, locate the LiveID-int.cer file we just created and then click Next > Next > Finish.
9. Repeat same procedure above to import the certificate to the Trusted Root Certificate Authority and Trusted People.
10. These procedures should be done on all WFE servers.
We need to create a Trusted Identity Token Issuer in SharePoint which will be configured to be used as the login provider for our Web Application.
1. On one of the SharePoint servers, fire up the Powershell console.
2. Execute the below powershell script
1: asnp microsoft.sharepoint.powershell 2: $realm = "urn:contososharepoint:int" 3: $certfile = "C:\Temp\LiveID-INT.cer" 4: $rootcert = Get-PfxCertificate $certfile 5: New-SPTrustedRootAuthority "Live ID INT Root Authority" -Certificate $rootcert 6: $emailclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming 7: $upnclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn 8: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
3. After running the script, verify that the script executed correctly by going to Central Administration > Security > Manage Trust.
Create the Web Application
1. From Central Administration, go to Application Management > Manage Web Applications.
2. Click on Create a new Web Application
3. In the Create New Web Application page, choose Claims Based Authentication from Authentication providers list.
4. Choose Create a new IIS website. Use the following values to fill the IIS Web Site fields (Replace the below with values that correspond to your website) Name: Contoso Public Portal Port: 443 Host Header: contoso.com
5. Under Security Configuration, select Yes under Use Secure Sockets Layer (SSL)
6. Under Claims Authentication Types, check the Trusted Identity provider checkbox
7. Check the LiveID INT checkbox from the list
8. Click on Create Web Application button.
After following the above steps, your web application will be ready to authenticate against Windows Live ID.
the problem is that liveID-NT users is not same as Windows Live users. User's that already have Windows Live should create LiveID-NT account too.
Do you know how integrate it with Windows Live, same as following link:
Live ID and OpenID Trusted Identity Provider for Claims Based Authentication
It is commercial solution, but I need free solution.
the LiveID-NT domain is the Windows Live testing environment, you create accounts on this environment for testing purposes. Once you finish and test your work, you can submit your website to Windows Live for compliance.
Once you get approved, you will be moved to the Windows Live production environment, users that already have a Windows Live ID will be able to login to your website.
Hope this helps.