Tuesday, July 14, 2015

Close Modal Dailog on submit/cancel in application page

Assumption: The model dialog is opened using SP.UI.ModalDialog.showModalDialog().

Add the following line of code under script tag.

 window.onunload=function()
{
    SP.UI.ModalDialog.commonModalDialogClose(SP.UI.DialogResult.OK, 'SP.UI.DialogResult.OK');
};

Friday, July 10, 2015

Users are not resolved in the people picker when SAML is enabled for the web application

Issue:
Users are not resolved in the people picker when SAML is enabled for the web application

Reason:
When a user authenticates to the SharePoint Portal, Azure AD does not include his group membership in the SAML token received by SharePoint, so SharePoint does not know to which groups the user belongs to, and hence it cannot make authorizations based on groups. The federation services are authentication systems only.

As per Microsoft, “When a web application is configured to use claims-based authentication, People Picker uses claims providers to resolve and display users, groups, and claims in the user or group text box. The information that SharePoint displays depends on the claims provider that is used by the authentication method that was configured for the web application. “. 

See Also: https://technet.microsoft.com/en-us/library/gg602078.aspx#about  

Solution:
Create a custom claims provider. Claims provider queries Active Directory or any LDAP to add search capabilities to the people picker in SAML authentication mode (typically ADFS).
When we are searching for a user, we cannot go directly to ADFS because there is no search function.  Instead, we use a custom claim provider to query directly to some authentication store or directory such as Active Directory to retrieve information about a list of users in order to provide name resolution.

Thursday, July 9, 2015

Cannot login to SharePoint site enabled with SAML based authentication using WAAD

Environment: SharePoint 2013, Windows Azure AD service as Identity Provider.


Issue: Cannot login to SharePoint Portal working and getting Session has timed out error. Steps to reproduce
  1. Open SharePoint Portal
  2. Portal navigates to Azure login page
  3. After proving credentials, the page redirects to Azure login page


Cause: There is no SAMLResponse cookie available to validate the credentials and that is the reason why the login is failing. The FedAuth cookie that the SharePoint STS is setting before redirecting to SharePoint application is expiring. This is occurring because the cookie lifetime has exceeded the lifetime of the token issued by ACS, so it's redirecting to get a new SAML token from ACS immediately.


The login page keeps looping because the default LogonTokenCacheExpirationWindow for the SharePoint STS is 10 minutes. The relying party by default it sets the token lifetime in ADFS to be 2 minutes, so as soon as it authenticated it knew the cookie was good for less time than the LogonTokenCacheExpirationWindow value. Therefore it goes back to ADFS to authenticate again. And so it goes , back and forth. So I needed to change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime.


Findings: The first time that you navigate to a SharePoint Portal that is secured with SAML claims, it redirects you to get authenticated and get your claims. Your SAML identity provider, also known as identity provider security token service (IP-STS), does all that and then redirects you to SharePoint. When you come back into SharePoint, SharePoint creates a FedAuth cookie; that is how SharePoint knows that you have been authenticated. To make a smoother end-user experience, SharePoint writes the FedAuth cookie value to the local cookies folder. On subsequent requests for that site, if SharePoint finds a valid FedAuth cookie for the site, SharePoint reads the cookie and takes you directly to the SharePoint content, without reauthenticating.
The token lifetime is determined by the Relying Party Trust in ADFS, and is stamped with the local time of that server before being sent to SharePoint. SharePoint is in charge of determining when it feels that the token has expired (based on the LogonTokenCacheExpirationWindow property). Both of these properties can be changed but unless you have a very specific scenario, there is likely no need. Default values work fine.


Resolution:


The default lifetime for the SharePoint Relying Party in ACS and the STS token cache lifetime is 10 minutes.  You can increase the SAML token lifetime in ACS on the SharePoint Relying Party trust to something higher that 600 seconds (10 minutes) so that the FedAuth cookie cache is lower than the SAML token lifetime.

See Also: http://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Monday, July 6, 2015

Convert SharePoint web application from HTTP to HTTPS

Environment: SharePoint 2013, Web Application created in Windows authentication

Requirement: Convert an existing web application from HTTP to HTTPS site.


Configuration

  • Create a Self-signed Certificate :
    • If there is no valid certificate issued by CA you must create a self-signed certificate: 
      • Launch IIS. In the Run dialog, type inetmgr and click OK. 
      • When IIS opens, select the parent node and double-click Server Certificates.

Create a self-signed certificate
  • On the Server Certificates screen, click the “Create self-signed certificate” link in the Actions pane.

Create a self-signed certificate
  • In the Create Self-Signed Certificate dialog, specify a friendly name and then click OK.
Create a self-signed certificate - Specify Friendly Name
  • The new certificate will be listed on the Server Certificates screen.
Server Certificates
  •    Right click the Portal site on which you want to enable SSL and click “Edit Bindings”.
IIS - Edit Bindings
  • Click the “Add” button. Select the Type as “https”. Provide the valid port number in “Port:”. Select the valid SSL certificate and click “OK”
Add Site Binding
  • Make sure the new binding for HTTPS is added.
Site Bindings
  • SharePoint Central Administration -> Application Management -> Configure Alternate access mappings
 Configure Alternate access mappings

  • Select the portal by selecting “Change Alternate Access Mapping Collection”
  Configure Alternate access mappings
  Configure Alternate access mappings
  • Click “Edit Public URLs"
 Edit Public URLs
  • Provide the HTTPS URL in the Intranet zone. The format should be https://[Server Name with fully qualified domain name]:[Port number given for HTTPS]. Eg., https://xyz.com:31450 
 Edit Public Zone URLs
Edit Public Zone URLs
  • Execute IISRESET command in the command prompt. Render the Portal HTTPS URL in the browser.

SharePoint 2013 Upgrade matrix

This article describes how the deployed solution packages can be upgraded. The upgrade approach depends on the kinds of changes done in the newer version of the solution. Following table show the supported upgrade options available based on the changes in the new solution



S.No.
Items
WSP Upgrade
Feature Upgrade
Using SOM / PowerShell
1
Code level changes (DLL changes)
2
JS, Html related changes
3
SharePoint Mapped folder file changes
(Control Templates, Layouts, Images)
4
Master file changes
5
Feature event Receiver code changes
6
New features addition
7
Remove existing feature
8
Modify existing features
9
Add new Site Column
10
Remove existing Site Column
11
Modify existing Site Column
12
Add Content Type
13
Remove Content Type
14
Modify Content Type
15
Changes in files uploaded in Document library using Modules (only for change in file properties, new files addition)
16
Remove files from Document Library
17
Add new list
18
Remove existing list
19
Modify existing List
20
Add new list items
21
Remove existing list items
22
Modify existing List items

Integration Oracle Access Manager with SharePoint 2013

Requirement

Integration Oracle Access Manager with SharePoint and sync user profiles. Import user’s profiles from Active directory and OAM. The imported profiles should resolve in the people picker. The scope of this development is targeted to SharePoint 2013.

Implementation Options

Integrate OAM with LDAP store

  • Enable synchronization of Oracle Identity Manager roles, users, and their hierarchy to an LDAP directory
  • Enable Identity Administration Integration with Oracle Access Manager (OAM).
  • Synchronize user profiles between the SharePoint Server directory and the Access Manager directory
References:

Sync with BCS data


  • Integrating Oracle data into SharePoint by creating a connection through the BCS to Oracle database and then use that as a secondary import source for SharePoint
  • User Profile Service. SharePoint uses active directory connection as the primary and Business data connection as Secondary Store for user profiles. Import user profiles from Active directory first, import profile properties from BCS External store (Ex. OAM Database), and then create connection of type BCS with one-to-one or one-to-many mapping relationship between imported active directory properties & BCS store.
References:


Implementing a custom claim provider


  • Create a claims provider that understands Oracle Access Manager and authorize SharePoint resources.
  • When SharePoint gets the request, it will first forward the request to the SharePoint security token service so that it can convert the windows identity to claims identity.
  • Custom claims provider could be used to guarantee about the identity in hand and it could look up the user in the Oracle. The custom claims provider will be designed to write into the claim any particular attribute SAML token and send it back to SharePoint.


References:

SharePoint 2013: Personalize a page and configure Web Parts to create a personal view.

Scope
Site users can personalize a page and configure Web Parts to create a personal view.

Implementation:

Out of the box approach

Personalize this Page
- On pages the site contributors can add the Web Parts to create a personal view of the page. For example, a Web Part can be added to a page and viewable by only those users. When users personalize a page, others will continue to view the public version or the shared version, or their own personalized version. Once a page is personalized, we have an option to view either your personal version or the shared version.
 Personalize the page
  • Create web part page “My Page”
  • Check following permission level at Web Application level and user group level in order to enable personalize this page menu in the site for the user.
 Enable personalize this page menu
  • Restrict personal page from showing all web parts in the Add Web Part list by assigning appropriate permission to Web Part Gallery.

Following customization need to be carried out
  • Hide Ribbon on page edit.
  • Enable Personalize this Page option only to the custom "My Page". Hide this menu for all the other pages.
Custom approach
  • Create a List "PersonalizableWebParts" to have the list/library name that can be configured as personal web part. The list data should be configurable by the administrator in portal base UI.


  • Adding menu item "My Page" to the User/Welcome Menu in SharePoint


  • Create a Web Part page with following Web Part Zones and layout.


 Web Part Zones and layout
  • Create a custom Web Part that displays the items in PersonalizableWebParts list and provide a button to "Add to Web Part" in the Web Part Zone right.


  • Create a single Web Part in Right zone with four sections using table/div


  • Load four different user controls in four different sections based on user selection


  • Save the user selection of user controls and load next time automatically.


  • The page should have read permission to all users. Adding Web Part should be executed programmatically using elevated privileges.


  • Set default view for each Web Part.

Limitations/Risks

There are few limitations/risks using the out of the box SharePoint features to personalize pages.
  1. Using Target Audience for the Web Parts added in the “My Page”. If multiple users add Web Parts with audience set, then there will be multiple copy of the Web Part in the page which lead to performance issues. Also the order/alignment set by the users to display Web Part cannot be retained.
  2. Web Part Zone does not have personalization option like Web Parts.
  3. Personal Site – Personal Site gives users a central location to manage and store documents, content, links, and contacts. Content providers can use My Site as a method of customizing the information they present to users. However this feature is supported only in SharePoint Servers and not on Foundation versions.