Sunday 3 November 2013

Configuring Windows Azure Access Control Service (ACS) and Facebook authentication in SharePoint 2013 – Part 2

This is a two part Post where I will explain how to configure Windows Azure Access Control Services and Facebook authentication in SharePoint 2013. To achieve this we need to set up

  1. One Facebook Application
  2. Adding a Windows Azure Access Control Service
  3. Adding the Certificate & Manage Trust in SharePoint
  4. Registering  custom ACS in SharePoint using PowerShell

1, 2 & 3 are done in Part 1. This part will cover creating a new web application and registering Custom ACS using PowerShell and making my web application aware of this custom ACS.

Read Part 1:

Step by step walk-through follows:

Step 1: Load Windows PowerShell ISE





Step 2: Execute the command to register custom ACS

///////////////////////////////////////////////////    command begins                   ////////////////////////////
Add-PSSnapin Microsoft.SharePoint.PowerShell -erroraction SilentlyContinue

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(
   "C:\practice\acssts\ACSCertificate.cer")

New-SPTrustedRootAuthority -Name "SP2013 ACS" -Certificate $cert
$map0 = New-SPClaimTypeMapping -IncomingClaimType
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
   -IncomingClaimTypeDisplayName "NameIdentifier" -LocalClaimType
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username"
$map1 = New-SPClaimTypeMapping -IncomingClaimType
   "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider"
   -IncomingClaimTypeDisplayName "IdentityProvider" –SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
   -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$realm = "https://sp2013/_trust/default.aspx"

$signinurl = "https:// j4sappreference.accesscontrol.windows.net:443/v2/wsfederation"
$ip = New-SPTrustedIdentityTokenIssuer -Name "SP2013 ACS" -Description "SP2013 ACS"  -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map0,$map1,$map2
   -SignInUrl $signinurl -IdentifierClaim $map0.InputClaimType

///////////////////////////////////////////////////    command ends                   ////////////////////////////








Step 3: Registering custom ACS is done and now you go ahead with creating web application




Step 4: Select Trusted Identity provider as SP2013 ACS





Step 5: Click ok and create web application





Step 6: Create a site collection and give primary site collection as your Facebook account







Step 7: load the new site which is SSL enabled




Step 8: You have option to choose between windows and custom ACS

Step 9: You have two more options to try “Windows Live” and “Facebook”



Step 9: Select “Facebook”




Step 10: Click okay and you are done!



Step 11: You can also log in with windows authentication and Windows Live account as well







Don’t forget to leave a comment if it helps you.
Think Big, Start Small



Configuring Windows Azure Access Control Service and Facebook authentication in SharePoint 2013 – Part 1


This is a two part Post where I will explain how to configure Windows Azure Access Control Services and Facebook authentication in SharePoint 2013. To achieve this we need to set up


  1. One Facebook Application
  2. Adding a Windows Azure Access Control Service
  3. Adding the Certificate & Manage Trust in SharePoint
  4. Registering  custom ACS in SharePoint using PowerShell


Step by step walk-through follows:


Step 1: Create your Facebook Application




1.2. Create a new application


Step 2: Create an Access Control Service in Windows Azure


2.1. Login to your window Azure account (https://manage.windowsazure.com)



2.2. Click on “New” => Active Directory => Access Control => Quick Create



2.3. New Access control creation complete and need to be configured


2.4. Click on the access control which is just created (update this URL in the Facebook page for “website with Facebook login” field).  In my case the URL is:


https://j4sappreference.accesscontrol.windows.net/ now, we will set up Identity Provider, Relying party application, Rule groups


2.5. Setting up Identity provider. Identity provider is Facebook and you need to supply your
Facebook application details in the Identity provider Interface. My sample page is given below




2.6. Click on save button. Facebook Identity provider is added successfully. You will see that windows live account is there by default.


2.7. Setting Relying party and the relaying party is SharePoint. Screen shorts are self-explanatory. However note these points




2.8. Setting Rule Groups. Double click on “Default rule Group for SP 2013 STS Reference”



2.9. Click on “Generate”



2.10. These are the generated rules


2.11. Need to change the input claim type “nameidentifier” to email id so that we get passthrough “emailed” claim from Facebook as “nameidentifier”


2.12. Below screen shows proper “input claim type” and “output claim type”




2.14. Click on Application Integration


2.14. Copy WS-Federation Metadata End Point URL and paste on the browser


2.15. Save keyinfo as “.cer” file


<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
// key info is what is found here
</X509Certificate>
</X509Data>
</KeyInfo>




2.16 Save this file to your local drive. SharePoint should trust this certificate.


Step 3: Adding the Certificate in SharePoint


3.1 Go to CA => Security => Manage Trust



3.2 Upload the certificate to SharePoint





4. Create a new web application and need to register the same using PowerShell



Don’t forget to leave a comment if it helps you.
Think Big, Start Small