As I was going round and round a few weeks ago trying to figure out why my custom claims provider was not working as I anticipated, one of our great developers (Chris R.) gave me a list of things to look at to try and diagnose the issue. After spending about 5 minutes on his list I realized where the...

In Part 1 of this series, we went through how to configure SharePoint to use ACS and Azure Active Directory (AAD) as our Identity Provider. Once that is complete you will have a working end to end solution in which you can authenticate, get authorized and work in the site. What you also have is the standard...

Hopefully by now everyone has heard about the new app model in SharePoint 2013. There’s a lot of documentation out there about it so I won’t go into exactly what it is. What you should know is that it’s the preferred model for developing applications going forward. If you’ve done...

Eric Lawrence touches on this topic in one of his Fiddler blog posts, but unless you know what you're looking for it can be hard to track down so I am going to add the SharePoint twist on it here. We often tell folks to use Fiddler to get an idea of what's going on when they are having issues with their...

Hey, I'm an app guy, I like doing dev, but honestly - I may go hoarse screaming at my computer if I have to track down one more "The issuer of the token is not a trusted issuer" problem with my new SharePoint apps. To try and help you save your own voice (and sanity) I'm going to start a list here of...

I was working on a build of SharePoint that is post beta 2 today, and found that one of my custom high trust apps I had built would no longer work. In looking at the ULS logs I was getting the dreaded "The issuer of the token is not a trusted issuer" error message. I think this is the equivalent of ...

Hi folks, it has come to my attention that there is one particular property on the SPTrustedIdentityTokenIssuer in SharePoint 2013 that you should absolutely never ever touch or try to change in any way. 2013 introduces a new property on the SPTrustedIdentityTokenIssuer called the MetadataEndPoint, and...

Nothing really earth shattering here - the previous version of FBA Configuration Manager for SharePoint 2010 ( http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-forms-based-authentication-configuration-manager.aspx) won't deploy directly to SharePoint 2013 so the attachment to this...

One of the things you’re likely to hear a lot about in SharePoint 2013, and I may end up writing a lot about, is oAuth. In SharePoint 2013 oAuth is used to establish a trust between two applications for purposes of establishing the identity of a principal (user or application). In SharePoint you...

There are times in SharePoint when you want or need to change an account identity. The best example is with SAML claims. In virtually of my examples I use email address as the identity claim for users. I do this because a) most people have an email address and b) an email address is something that most...

A good “friend of the blog”, Israel V., was good enough to point out to me recently that pretty much all of the code samples that we have for custom claims providers contain an irritating little flaw – if you follow these samples then the welcome emails that get sent out when you add...

Lots of folks have talked to me in the past about federating SharePoint with Windows Live. On the surface it seems like a pretty good idea – Windows Live has millions of users, everyone logs in with their email address, which is something we use a lot as an identity claim, it’s a big scalable...

In Part 1 of this series, I briefly outlined the goals for this project, which at a high level is to use Windows Azure table storage as a data store for a SharePoint custom claims provider. The claims provider is going to use the CASI Kit to retrieve the data it needs from Windows Azure in order to provide...

In Part 1 of this series, I briefly outlined the goals for this project, which at a high level is to use Windows Azure table storage as a data store for a SharePoint custom claims provider. The claims provider is going to use the CASI Kit to retrieve the data it needs from Windows Azure in order to provide...

Hi all, it’s been a while since I’ve added new content about SAML claims, so I decided to come back around and write some more about it in a way that links together some of my favorite topics – SharePoint, SAML, custom claims providers, the CASI Kit and Azure. This is the first part...

I've seen lots of questions and confusion (and was a little lost myself for a bit) on the fixes in SharePoint 2010 SP1 + June CU to enable use of the WHR parameter. This does in fact work now but requires a couple of things: Configure the SPTrustedIdentityTokenIssuer The SPTrustedIdentityTokenIssuer...

Okay, this will hopefully be the longest titled post I ever write, but I wanted to make sure it covered all the relevant technologies being discussed. This is an area that I’ve heard a more rumbling about recently, which is really all about how can I take a SAML claims user and get a Windows context...

Hey all, there has been a potential issue that's recently come to light for folks that have only applied SharePoint 2010 SP1 but not the June 2011 CU. What you will find after doing this is that the people picker will no longer work for your SAML claims users. You can still add claims via the type in...

I've had this scenario come up a few times now when working through various federation scenarios. These cases always involve using Facebook as an oAuth source for login, or Azure's AppFabric ACS as a federated identity provider. The common behavior is that you are doing something either interactively...

I recently witnessed a problem that proved to be fairly difficult to track down so I thought I would share the issue and resolution. In this case, a custom claims provider had been developed and it was being used as the default claim provider for the SPTrustedIdentityTokenIssuer, as described here: http...

Someone one posed an interesting question to me the other day, around whether or not you could use SAML claims with host header sites in SharePoint 2010. My initial thought was yes but I wanted to dig into it a little bit more to investigate. The short answer to all this is yes, but it's not quite as...

Hey folks wanted to let you know about some other federation whitepapers that have come out recently. Please see the following if interested: ADFS with Shibboleth - http://blogs.msdn.com/b/card/archive/2010/10/22/ad-fs-2-0-step-by-step-guide-federation-with-shibboleth-2-and-the-incommon-federation...

Hey folks, I just wanted to let you know that CA SiteMinder and Microsoft folks have been working together to create a whitepaper that details how to federate identities between CA Federation Manager and SharePoint 2010. They have recently released this paper that describes in great detail how to do...

A scenario that is happening more frequently in SharePoint 2010 is using a single zone for multiple authentication providers. One of the reasons folks do this is because they want to use a some type of claims authentication - like FBA or SAML - but they also want to add Windows claims so that the zone...

In the first post in this series ( http://blogs.technet.com/b/speschka/archive/2011/05/05/federated-saml-authentication-with-sharepoint-2010-and-azure-access-control-service-part-1.aspx ) I described how to configure SharePoint to establish a trust directly with the Azure Access Control (ACS) service...