Do you hate managing user names and passwords? You are not alone!
If don’t need to manage permissions on an individual user basis, I have discovered an ideal solution to managing user names and passwords: You can use Microsoft Live ID and other services like Gmail and Facebook as an authentication provider for SharePoint 2010 and 2013.
Overview of the steps involved
SharePoint 2013 cannot communicate directly with Live ID, so you must set up an Access Control Service in Azure. Although you will need an active subscription to Azure, there currently is no charge for creating or using the Access Control Service. Once your account is set up, you must configure SharePoint to use the Access Control Service.
Some drawbacks to this method
1. You are guaranteed to get a nasty ID as the user ID from the Live ID provider so it may not be the best option.
2. The user properties such as name and work email may be updated by the user (this depends on the configuration of the user profile service) but are not supplied by Live ID.
3. You cannot use the user’s email to assign permissions to them even if the user has updated their email.
4. You can enter the email as shown below and SharePoint will seem to find it.
This action doesn’t find the existing Live ID user with the specified email address. It adds a new user with email@example.com as the account name.
5. You must use the user ID returned from the Azure Access Control Service to assign permissions to the user.
6. The user ID returned from Azure Access Control Service is unique to the Access Control Namespace. There doesn’t seem to be any way to determine the user ID prior to the user logging in to SharePoint. Therefore, the only way to grant access to a SharePoint site to a Live ID user during their first login to SharePoint is to grant access to the Everyone group on the initial loading page.
7. Using Live ID as an authentication provider in a site with strict security settings may not be ideal.
How to configure the Access Control Service in Azure
1. Sign into Azure. Open the Portal by clicking the Portal link in the upper right hand corner.
2. Click on the New button in bottom left hand corner from the Azure Management Portal.
3. Select App Services > Active Directory.
4. Select Access Control > Quick Create.
5. Enter the Namespace, Region and Subscription. Click Create.
6. Select the Identity providers link in the left navigation menu in the Windows Azure Portal.
7. Windows Live ID is installed by default. You can add other identity providers here.
8. Select Relaying Party Applications from the left navigation menu.
9. Select Add.
10. Enter the display name for the relaying party application.
11. Enter the URL of the SharePoint site in the realm field.
12. Enter the URL of the SharePoint site with /_trust appended to the end in the return URL field. Example: https://sharepointsite.com/_trust
13. You can enter an optional Error URL or leave the field blank.
14. Change the token format to SAML 1.1. SharePoint will only work with SAML 1.1.
15. Leave (or set) the Token encryption policy to none.
16. Increase the Token lifetime to 3600 seconds.
17. Under Authentication settings, select the Identity provider(s). You can choose more than one.
18. Select Create new rule group.
19. Leave (or set) Token signing to Use service namespace certificate (standard) in the Token Signing Settings.
20. Click Save.
21. Select the Rule groups link from the left navigation menu.
22. Select Add.
23. Enter a name and click save.
24. Click Generate above the rules section to generate the new rule group.
25. Windows Live ID only has the nameidentifier rule configured. It is possible to configure other options like name and email for other service providers.
26. Select Certificates and Keys from the left navigation menu.
27. Add a new Token Signing certificate. This certificate should be the same certificate used by the SharePoint site. You can create a self-signed certificate for development environments.
28. Select the relaying party application and the certificate type. Upload the certificate and click save.
29. Click on application integration from the left navigation menu.
30. Select the Login Pages link.
31. Select your Relaying party application.
32. Copy and record the URL in the textbox under option 1.
33. Sign out of Azure and connect to your SharePoint server.
34. Open SharePoint 2013 Management Shell.
35. Enter the following commands:
# realm is the realm that you entered in Azure
$realm = “http://sharepointsite.com”
# Replace the URL with the URL that you recorded in step 32
#Location of the certificate uploaded to Azure
$certloc = “C:\sharepointsite.com.cer”
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority “Windows Azure ACS” -Certificate $rootcert
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
#Map the Fields from rule created for Live ID
$NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
#Create New Trusted Identity Provider
New-SPTrustedIdentityTokenIssuer -Name “Live ID” -Description “Live ID” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”
36. Open Central Administration.
37. Select Application Management > Manage web applications.
38. Select the web application that you want to use Live ID with.
39. Select Authentication Providers from the ribbon.
40. Select the zone.
41. Select the Trusted Identity Provider in the Claims Authentication Type section.
42. Click save.
43. Navigate to your web application. You should see a drop down box with windows and Live Id authentication options.
44. Sign in with a Windows account. Make sure that the Everyone group has been added to the visitors group. Select the dial > Site Settings.
45. Select the People and groups link under the Users and Permissions heading.
46. Select the Visitors group from the left navigation menu.
47. Select New.
48. Type everyone in the account. Wait for SharePoint to find the everyone role and click save.
49. Test signing in with a Live ID account.
With thanks to:
This SharePoint Tip was written by:
Elizabeth Brown is a Consultant/Programmer whose expertise in implementing and customizing SharePoint and CRM is a great addition to the Corporate Renaissance Group team. Elizabeth has over 6 years of experience working in IT, focusing on system analysis and application development and support. In these roles, she worked directly with end users to develop and customize applications to meet long term needs. In addition to SharePoint and CRM, she has extensive experience with web based technologies and SQL databases.