NOTE: As usual the formatting on this site sucks. I recommend you download the Word document attachment with this posting for better reading.
I had been looking at Windows Azure Access Control Service (ACS) with an interesting eye recently, thinking about some of the different integration options. There’s always lots of chatter about claims authentication with SharePoint 2010, and how to integrate ADFS, Windows Live, Facebook, etc. ACS (also known as AppFabric ACS to you Azure purists / marketing people) is rather cool because it includes “connectors” for these common identity providers out of the box. When you set up an ACS namespace (think of it like an account with connectors and configuration settings), you have simplified and streamlined connectivity to ADFS 2.0, Windows Live, Yahoo, Google and Facebook. The lazy programmer in me thinks hey, there must be something goin’ on there so I decided to look into it from a couple of different angles. I’m going to describe the first one in this post.
For this scenario I really just wanted to establish a trust directly between SharePoint 2010 and ACS. I wanted to be able to use ADFS, Windows Live, Yahoo and Google accounts to authenticate and get into my SharePoint site. I didn’t include Facebook because social computing is really not my thing (this blog’s as close as I get) so I don’t have a Facebook or Twitter account because I’m really not interested in frequently sharing pointless information with the world at large (“Puffy just had 3 kittens – Adorable!!”). I will NOT be explaining how to get a Windows Azure account, create an Access Control Service namespace, how to manage ACS, etc. – there should be reams of info out there from the Windows Azure folks so I’m not going to try and reinvent that.
What I am going to describe is the process of setting up the various trusts, certificates, and configuration necessary to get all this stuff working together. At the end I’ll include some screenshots of me logged in with identities from each of those providers. Here are the steps to get connected:
Add An Identity Provider for ADFS
That’s pretty much all you need to do to create your Identity Provider in ACS.
3. Add A Relying Party for SharePoint
4. Create the rules for the Relying Party
5. Create a Relying Party for ACS in ADFS
6. Configure the SharePoint Trust with ACS
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
Copy the data out of the X509Certificate element and paste it into notepad. Save it with a .CER file extension (the encoding should be ANSI); for purposes of this post let’s assume you call the file C:\AcsTokenSigning.cer. This is the token signing certificate for ACS.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\AcsTokenSigning.cer")
New-SPTrustedRootAuthority -Name "ACS Token Signing" -Certificate $cert
At this point you should be ready to hit the site and give it a try. Remember that you’ll need to configure the site collection administrator to be one of the email addresses that one of the identity providers will return so you can log into the site. Once in there you can add email addresses or role claims from providers to SharePoint groups just as you would normally expect to do.
The one caveat to remember again, for now, is Windows Live ID. As stated previously in this post, you won’t really have a valid email address for Windows Live so you will need to add what they call the PUID to your SharePoint group. For testing purposes, the easiest way to get this is to log in using Windows Live ID, and then you will reach the page in SharePoint that says you are logged in as “foo” and access is denied. From there you can copy the PUID, login as an admin user, add the PUID to a SharePoint group and you should be good to go. I haven’t even looked at what kind of directory options, if any, are available for Windows Live ID (I’m guessing probably none). But it’s a start so we can move this proof of concept along. Now that we’ve done that, here’s what it looks like logging into my site using each of these identity providers:
Windows Live ID