Windows Live ID as an Authentication Provider for SharePoint On Premise

This article discusses the steps that enable the Microsoft Live ID as an authentication provider for SharePoint 2013 On Premise using Microsoft Azure Active Directory

Environment: SharePoint 2013 Enterprise (on premise), Visual Studio 2012, Microsoft Azure

SharePoint does not have a build in option to configure Windows Live ID as Identity Provider, so we need to Setup ACS (Access Control Service) and add Windows Live ID as identity provider. Azure Access Control Service can be used to authenticate your SharePoint 2013 users with Azure AD. In this configuration Azure AD becomes a trusted identity provider for SharePoint 2013.

The following figure shows how authentication works for SharePoint 2013 users in this configuration.

References:

https://technet.microsoft.com/en-in/library/dn635311.aspx

Following are the steps to setup Azure ACS.

1. Create a new Azure AD tenant

2. Create new namespace

3. Click Manage to navigate to Azure ACS Management Portal

4. To add a WS-Federation identity provider to the namespace, Click on Identity Providers link under Trust relationships section, click Add, select Windows Live ID and click Next button

5. To add SharePoint as a relying party application, click on Relying party applications link under Trust relationships section, click Add and provide details about your SharePoint web application.

6. Create a rule group for claims-based authentication

7. Click Add to create a new Rule Group, click Generate and make sure that a rule is created to the group to pass nameidentifier as nameidentifier, as illustrated by the following figure.

8. Map the new Rule group to the replying party application

9. Click on Add under Certificates and Keys section to configure the X.509 certificate.

10. Execute the PowerShell script provided in the Add Token-Signing Certificate or Key page to create a certificate.

MakeCert.exe -r -pe -n "CN=cpazureacs.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 09/23/2017

Navigate to MMC > File > Add/Remove Snap-in > select Certificates > click Next > Select My User Account > click Finish to add Certificates in Selected Snap-ins > click Ok.

MMC > Expand Certificates - Current User > Personal > Certificates > select the appropriate namespace > select Export > click Next > select Yes, export the private key > select Personal Information Exchange > click Next > provide password and click Next > Provide Path to export the certificate and click Next > click Finish

11. Upload the certificate and Save

Reference: https://msdn.microsoft.com/en-us/library/gg185932.aspx

Execute the following line of PowerShell script to create a trusted identity provider and add in to SharePoint.

$realm = http://ilinksys121.abc:3333/ #the sign in URL can be copied from Application Integration > Login Page Integration $signinurl=https://cpazureacs.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2filinksys121.abc%3a3333%2f #Certificate location $certloc = "D:\cpazureacs.cer" $rootcert = Get-PfxCertificate $certloc New-SPTrustedRootAuthority "Windows Azure ACS" -Certificate $rootcert $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc) $NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn $Email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming New-SPTrustedIdentityTokenIssuer -Name "Live ID" -Description " Live ID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier, $Email, -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" $sts = Get-SPTrustedIdentityTokenIssuer $sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

12. Set Windows Live ID as trusted Identity Provider for the Web Application

13. Grant permission to access the Web Application

14. Login to the Web Application with live ID.

Note that the user name is showing some characters and not the user name or email address. This is because the Windows Live ID does not provide user details and send only name identifier in the SAML Assertion/Response. You can check the SAML Assertion sent in the response using Fiddler tool.

In order to get the user name and email address, we can use the Live Connect API. We need to create an ‘application’ on Live Connect and get the client Id of your application. This client Id is used to get the user data with the help of Live SDK.

Following is the URL of the blog post by Martin Laukkanen, which has a sample code and steps that can be used to get the user name and email address of a Live ID user. You can extend the sample as per your requirement.

http://nearbaseline.com/2013/03/sharepoint-and-windows-live-id/

Screen shots after adding the sample web part to update the user details.