Integrate Azure ACS with SharePoint in 2 minutes or less

Posted on 12/30/2011 @ 10:52 PM in #SharePoint by | Feedback | 3568 views

2 minutes or less? Bold claim! Keep reading! There are 3 easy steps,

  1. Create a certificate
  2. Setup Azure ACS
  3. Setup SharePoint

#1 Create a certificate

In production environments you will use a real cert, but for now makecert.exe is fine! Use the following command,

makecert -r -pe -n "CN=spf2010" -sky exchange -ss my

This will put the certificate in your personal certificates store. Run “mmc.exe” and add the “Certificates” snap-in to see the cert. You need to open the cert by double clicking on it, and export it once with a private key as a .pfx file, and once without a private key as a .cer file. The .pfx export will also require a password. I put my files at c:\code\cert.pfx and c:\code\cert.cer.

#2. Setup Azure ACS

Go to https://windows.azure.com and login. In the management portal, look for “Service Bus, Access Control & Caching”, click on it, click on the “New” button in the toolbar and create yourself a namespace. You can select service bus and caching if you intend on using those, but at the very minimum, choose to create “Access Control”. The services will take a few minutes to create. Once Access Control is created, click to manage it, which will take you to a new page, the URL will be like this - https://winsmarts.accesscontrol.windows.net/v2/mgmt/web, where winsmarts is your management namespace.

Now in here, click on “Identity Providers”, and configure your identity providers, this is as easy as click “Add” hit OK. I went ahead and setup Google, Windows Live ID and Yahoo. You can also do ADFSv2 etc.

Next, create a relying party application as follows,

Name

http://spf2010

Realm

http://spf2010

Return URL

http://spf2010/_trust/

Token format

SAML 1.1

Token Encryption Policy

None

Token Lifetime

600

Identity Providers

Google/Yahoo/Windows Live ID

Rule Groups

Create a new rule group

Token Signing

Use dedicated cert, and find and upload the .pfx file you created above.

 

Next, setup a rule group. Click on Rule Groups in the Azure ACS portal, and choose to generate rules. The default ruleset generated is fine.

It’s time to setup SharePoint.

#3, Setup SharePoint to use Azure ACS

You must use a claims based authentication application to integrate ACS with SharePoint. ADFSv2 is a possible claims provider.

Before you can use Azure ACS as a possible identity token issuer, you need to register your Azure ACS application inside SharePoint using the following PowerShell script.

  1: $realm = "http://spf2010";
  2: $signinurl = “https://winsmarts.accesscontrol.windows.net/v2/wsfederation”
  3: $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" –SameAsIncoming
  4: $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\code\cert.cer")
  5: New-SPTrustedIdentityTokenIssuer -Name "Azure ACS" -Description "ACS" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
  6: New-SPTrustedRootAuthority -Name "spf2010" -Certificate $cert

 

Note the last line is very interesting! SharePoint manages its own trusted root certs. Adding your makecert certificate into the machines trusted root authority store is well, ignored by SharePoint!

Now, you’re all set! You can choose to change an existing SharePoint web application use Claims based authentication as shown here,

http://blah.winsmarts.com/2010-3-Enable_Claims_based_Auth_on_a_SP2010_website,_after_it_has_been_provisioned.aspx

Or, choose to create a new web application. When you create a new web app, ensure that you

  1. - Create a port 80 site at http://spf2010
  2. - Pick Claims Based Authentication for the site.
  3. - Ensure that Azure ACS is checked as a trusted identity provider. If you don’t see this option here, you screwed up a step above.

Okay, now create a site collection, and add your gmail account as a primary site collection admin, and your active directory identity as a secondary site collection admin.

Visit http://spf2010. Choose to login using Azure ACS, and login using your google credentials – BINGO – you’re signing in using claims issued by Azure ACSv2 coming from google ids.

#4, In 2 minutes? Wow! Really?

Okay maybe 5 minutes. But you might note, this article was all about the steps boom boom boom – not enough explanation perhaps about WTH is going on here. Claims Auth and WCF and SharePoint and Azure are pretty involved topics. If you’d like to learn more about them, well-explained in a matter you can retain the knowledge (not just regurgitated from MSDN), make sure to attend one of my trainings, The next trainings or events you can catch me at are,

Sound off but keep it civil:

Older comments..


On 1/31/2012 5:32:38 PM Michael Vasquez said ..
I receive a 404 error when after I have been authenticated. It shows the correct server url but there is an error. Any Ideas