SharePoint is a ASP.NET web application however because of SharePoint specific deployment scenarios this tool is not very useful in a SharePoint context. So i have attempted to create a utility that could be used for similar purposes. SPFedUtil.exe features as it stands today [4:40pm 12/05/2010]

• Displays currently configured SharePoint trusted login providers
• Enables configuration of trusted login provider name and realm
• Federation metadata consumption from a server or file system
• Identity provider certificate verification and CA configuration
• Augmenting list of claims provided by identity provider with a CSV file
• Specifying SharePoint user identity claim type
• Specifying SharePoint claim provider for this trusted login provider
• SharePoint replying party metadata configuration, including contact and organization info
• Configures SharePoint trusted login provider using PowerShell (can be run from the util)
• Emailing of generated relying party metadata to identity provider technical contact

This utility can be found here [download id="2" format="1"] Please feel free to mention this blog as the source of this utility.

I wont clutter up this post with all the images and how to instructions for this utility. I have created a separate project site here. I will endevour to put full how-to documentation on that page. But for now here are a couple of screenshots

[4:44 21/05/2010] Update : bug fixed – Identity provider sign in URL not configured properly during SharePoint trusted provider setup. This now retrieves the sign in URL from the IdP metadata.

This is a beta tool and thus should be used with caution :D

End result … download at the end of the post

See it in action here …
httpv://www.youtube.com/watch?v=trQgdexZC6I

Following list summaries the minimal steps that are required to create a ribbon tab or contextual group

• Location attribute of CustomAction must be as follows

  <CustomAction Id="Cecil.Ribbon.Socialize" Title="Socialize" Location="CommandUI.Ribbon">

• Location attribute of CommandUIDefinition must be either of the following

  <CommandUIDefinition Location="Ribbon.Tabs._children">
  or
  <CommandUIDefinition Location="Ribbon.ContextualTabs._children">

  Former is required for Tabs and later is for ContextualGroup

• Fill in CommandUIDefinition while adhering to the schema which can be found at {14HIVE}\TEMPLATE\GLOBAL\XML\CMDUI.XML
• Create a custom CUI.Page.PageComponent and place it in the _layouts folder
• Place all the command names in either getGlobalCommands or getFocusedCommands
• If your ribbon is in a state when the tab or contextual group should be visible then make sure canHandleCommand returns true
• If your button or other control is in a state when they can be pressed make sure canHandleCommand returns true
• Run code specific to each command in handleCommand method based on the commandId
• Include a reference to Microsoft.Web.CommandUI.dll in your project
• Include the CUI.Page.PageComponent source file then register it by making it available in a web control.

   public class SocializeBootstrapper : WebControl
      {
          protected override void OnPreRender(EventArgs e)
          {
              ScriptLink.RegisterScriptAfterUI(this.Page, "SP.Core.js", false, true);
              ScriptLink.RegisterScriptAfterUI(this.Page, "CUI.js", false, true);
              ScriptLink.RegisterScriptAfterUI(this.Page, "core.js", true, false);
              ScriptLink.RegisterScriptAfterUI(this.Page, "SP.Ribbon.js", false, true);
              ScriptLink.RegisterScriptAfterUI(this.Page, "SP.Runtime.js", false, true);
              ScriptLink.RegisterScriptAfterUI(this.Page, "SP.js", false, true);
              ScriptLink.RegisterScriptAfterUI(this.Page,
                          "SPCecil.Socialize/Socialize.UI.js", false, true);
  
              SPRibbon currentRibbon = SPRibbon.GetCurrent(this.Page);
              currentRibbon.MakeTabAvailable("Cecil.Ribbon.Socialize.Tab");
  
              base.OnPreRender(e);
          }
      }

• The load the control using DelegateControl

  <Control
  		Id="AdditionalPageHead"
  		Sequence="200"
  		ControlClass="$SharePoint.Project.FileNameWithoutExtension$.SocializeBootstrapper"
  		ControlAssembly="$SharePoint.Project.AssemblyFullName$">
  </Control>

[download id="1" format="1"]
If you want to change the button images around its pretty easy to do so, check out this social image set and replace them in the _layouts folder.
if you find this solution helpful please have a link back to this blog.

Microsoft’s SharePoint hands on labs, not that detailed yet but should help get started

Microsoft SharePoint Developer Documentation Blog, just found it very good [7:39 16/4/2010]

Chris O’Brien’s Blog, found this to be most helpful

Wictor Wilén Blog, there is a custom action that he created for quick list creation might use that myself :D

Hope this helps others

    public partial class MyClaim
    {
        public string Identifier { get; set; }
        public string ClaimType { get; set; }
        public string Value { get; set; }
        public string Issuer { get; set; }
        public string OriginalIssuer { get; set; }
        public string ValueType { get; set; }
    }

    public class MyClaimService
    {
        public static MyClaim ReadItem(string id)
        {
            IClaimsIdentity identity = GetClaimsIdentity();
            string[] parts = id.Split(new string[] { "::" },
                        2, StringSplitOptions.RemoveEmptyEntries);
            if (parts != null && parts.Length == 2)
            {
                var claimsOfType = (from c in identity.Claims
                                    where c.ClaimType == parts[0]
                                    select c).ToArray();
                int index = Convert.ToInt32(parts[1]);
                if (claimsOfType != null && claimsOfType.Length > index)
                {
                    Claim selectedClaim = claimsOfType[index];
                    return new MyClaim()
                    {
                        Identifier = id,
                        Value = selectedClaim.Value,
                        ValueType = selectedClaim.ValueType,
                        ClaimType = selectedClaim.ClaimType,
                        Issuer = selectedClaim.Issuer,
                        OriginalIssuer = selectedClaim.OriginalIssuer
                    };
                }
            }
            return null;
        }

        public static IEnumerable ReadList()
        {
            IClaimsIdentity identity = GetClaimsIdentity();
            var claimTypes = (from c in identity.Claims select c.ClaimType).Distinct();
            List myClaims = new List();
            foreach (string claimType in claimTypes)
            {
                var claims = from c in identity.Claims
                             where c.ClaimType == claimType
                             select c;
                int index = 0;
                foreach (Claim c in claims)
                {
                    myClaims.Add(new MyClaim()
                     {
                         Identifier = c.ClaimType + "::" + index,
                         Value = c.Value,
                         ValueType = c.ValueType,
                         ClaimType = c.ClaimType,
                         Issuer = c.Issuer,
                         OriginalIssuer = c.OriginalIssuer
                     });
                    index++;
                }
            }
            return myClaims.ToArray();
        }

        private static IClaimsIdentity GetClaimsIdentity()
        {
            IClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal;
            if (claimsPrincipal != null)
            {
                return (IClaimsIdentity)claimsPrincipal.Identity;
            }
            return new ClaimsIdentity();
        }
    }

And the model definition should look something like this…

<?xml version="1.0" encoding="utf-8"?>
<Model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/windows/2007/BusinessDataCatalog" Name="MyClaimsDataModel">
  <LobSystems>
    <LobSystem Name="MyClaimsDataModel" Type="DotNetAssembly">
      <LobSystemInstances>
        <LobSystemInstance Name="MyClaimsDataModel" DefaultDisplayName="My Claims" />
      </LobSystemInstances>
      <Entities>
        <Entity Name="MyClaim" Namespace="SPCecil.Connect.MyClaimsDataModel" EstimatedInstanceCount="1000" Version="1.0.0.31">
          <Properties>
            <Property Name="Class" Type="System.String">SPCecil.Connect.MyClaimsDataModel.MyClaimService, MyClaimsDataModel</Property>
          </Properties>
          <Identifiers>
            <Identifier Name="Identifier" TypeName="System.String" />
            <!-- TODO:change the name of the ID and if needed the TypeName of your identifier.-->
          </Identifiers>
          <Methods>
            <!-- start finder method-->
            <Method Name="ReadList">
              <!-- TODO:change the name of the method if needed.-->
              <Parameters>
                <Parameter Direction="Return" Name="returnParameter">
                  <TypeDescriptor TypeName="System.Collections.Generic.IEnumerable`1[[SPCecil.Connect.MyClaimsDataModel.MyClaim, MyClaimsDataModel]]" IsCollection="true" Name="MyClaimList">
                    <TypeDescriptors>
                      <TypeDescriptor Name="MyClaim" TypeName="SPCecil.Connect.MyClaimsDataModel.MyClaim, MyClaimsDataModel">
                        <TypeDescriptors>
                          <TypeDescriptor Name="Identifier" TypeName="System.String" IdentifierName="Identifier" />
                          <TypeDescriptor Name="ClaimType" TypeName="System.String" DefaultDisplayName="Claim Type" />
                          <TypeDescriptor Name="Value" TypeName="System.String" />
                          <TypeDescriptor Name="ValueType" TypeName="System.String" DefaultDisplayName="Claim Value Type" />
                          <TypeDescriptor Name="Issuer" TypeName="System.String" />
                          <TypeDescriptor Name="OriginalIssuer" TypeName="System.String" DefaultDisplayName="Original Issuer" /></TypeDescriptors></TypeDescriptor></TypeDescriptors>
                  </TypeDescriptor>
                </Parameter>
              </Parameters>
              <MethodInstances>
                <MethodInstance Type="Finder" ReturnParameterName="returnParameter" Default="true" Name="ReadList" DefaultDisplayName="All my claims" />
              </MethodInstances>
            </Method>
            <!-- end finder method-->
            <!-- start specific finder method-->
            <Method Name="ReadItem">
              <Parameters>
                <Parameter Direction="In" Name="id">
                  <TypeDescriptor TypeName="System.String" IdentifierName="Identifier" Name="Identifier" />
                </Parameter>
                <Parameter Direction="Return" Name="returnParameter">
                  <TypeDescriptor TypeName="SPCecil.Connect.MyClaimsDataModel.MyClaim, MyClaimsDataModel" Name="MyClaim">
                    <TypeDescriptors>
                      <TypeDescriptor TypeName="System.String" IdentifierName="Identifier" Name="Identifier" />
                      <TypeDescriptor TypeName="System.String" Name="ClaimType" DefaultDisplayName="Claim Type" />
                      <!-- TODO: add typedescriptors when you add properties to entity1.-->
                      <TypeDescriptor Name="Value" TypeName="System.String" />
                      <TypeDescriptor Name="ValueType" TypeName="System.String" DefaultDisplayName="Claim Value Type" />
                      <TypeDescriptor Name="Issuer" TypeName="System.String" />
                      <TypeDescriptor Name="OriginalIssuer" TypeName="System.String" DefaultDisplayName="Original Issuer" /></TypeDescriptors>
                  </TypeDescriptor>
                </Parameter>
              </Parameters>
              <MethodInstances>
                <MethodInstance Type="SpecificFinder" ReturnParameterName="returnParameter" Default="true" Name="ReadItem" DefaultDisplayName="Read my claim" />
              </MethodInstances>
            </Method>
            <!-- end specific finder method-->
          </Methods>
        </Entity>
      </Entities>
    </LobSystem>
  </LobSystems>
</Model>

After deploying a solution containing these artifacts, you should be able to see the model in Central Administration, if you provider the appropriate permissions to the model in Certral Administration the model should work just fine.

Details vs List View :

Above picture show the email address field filled in during picker entity creation from SPClaims provider. This is infact very easy to do. Here is how, i will provide code snippet for both a User entity and Group entity.

For User picker entities,

    private PickerEntity CreatePickerEntityFromUserProfile(UserProfile profile)
    {
        PickerEntity entity = CreatePickerEntity();
        entity.Key = profile.PrincipalName;
        entity.DisplayText = profile.Fullname;
        entity.Description = profile.PrincipalName;
        if (string.IsNullOrEmpty(entity.DisplayText))
        {
            entity.DisplayText = profile.PrincipalName;
        }
        entity.Description = profile.PrincipalName;
        entity.EntityData[UserProfileEntityInfo.PrincipalName] = profile.PrincipalName;
        entity.EntityData[UserProfileEntityInfo.Forenames] = profile.Forenames;
        entity.EntityData[UserProfileEntityInfo.Surname] = profile.Surname;
        entity.EntityData[UserProfileEntityInfo.PreferedName] = profile.PreferedName;
        entity.EntityData[UserProfileEntityInfo.UPI] = profile.UPI;
        entity.EntityData[UserProfileEntityInfo.PrimaryEmail] = profile.PrimaryEmail;
        entity.EntityData[UserProfileEntityInfo.Fullname] = entity.DisplayText;

        entity.Claim = SPClaimProviderManager.CreateUserClaim(profile.PrincipalName,
            SPOriginalIssuerType.TrustedProvider, trustedProviderName);

        entity.EntityType = OrganisationalEntityTypes.User;
        entity.EntityGroupName = OrganisationalEntityTypes.PeopleGroup;
        entity.IsResolved = true;

        return entity;
    }

For Group picker entities,

    private PickerEntity CreatePickerEntityFromContextRole(ContextRole contextGroup)
    {
        PickerEntity entity = CreatePickerEntity();
        entity.Key = contextGroup.ContextRoleName;
        entity.DisplayText = contextGroup.ContextRoleName.ToLower();
        entity.Description = entity.DisplayText;
        entity.EntityData[ContextEntityInfo.Name] = entity.DisplayText;
        entity.EntityData[ContextEntityInfo.PrimaryEmail] = contextGroup.Email;
        entity.EntityData[ContextEntityInfo.DisplayName] = entity.DisplayText;

        if (contextGroup.ContextTypeName == "Stream")
        {
            entity.EntityType = OrganisationalEntityTypes.Stream;
            entity.EntityGroupName = OrganisationalEntityTypes.StreamGroupsGroup;
            entity.Claim = new SPClaim(OrganisationalClaimTypes.StreamRole,
                contextGroup.ContextRoleName, OrganisationalClaimTypes.StreamRoleValueType,
                SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, trustedProviderName));
        }
        else if (contextGroup.ContextTypeName == "Course")
        {
            entity.EntityType = OrganisationalEntityTypes.Course;
            entity.EntityGroupName = OrganisationalEntityTypes.CourseGroupsGroup;
            entity.Claim = new SPClaim(OrganisationalClaimTypes.CourseRole,
                contextGroup.ContextRoleName, OrganisationalClaimTypes.CourseRoleValueType,
                SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, trustedProviderName));
        }
        entity.IsResolved = true;
        return entity;
    }

In the above code snippets, UserProfile and ContextRole are custom classes that hold information about User and Group respectively. You can probably tell this snippet is from a SPClaimProvider specialized for a university, so you don’t have to use all the attributes only the ones that apply to you organization. PeopleEditorEntityDataKeys class has the attribute names that are most often used withing SharePoint. UserProfileEntityInfo and ContextEntityInfo hold string constants specifying the additional column names.

    public class UserProfileEntityInfo
    {
        public const string PrincipalName = "Principal Name";
        public const string Forenames = "Forenames";
        public const string Surname = "Surname";
        public const string PreferedName = "Prefered Name";
        public const string UPI = "UPI";
        public static string Fullname
        {
            get
            {
                return PeopleEditorEntityDataKeys.DisplayName;
            }
        }

        public static string PrimaryEmail
        {
            get
            {
                return PeopleEditorEntityDataKeys.Email;
            }
        }
    }

    public class ContextEntityInfo
    {
        public static string Name
        {
            get
            {
                return "Context Name";
            }
        }

        public static string DisplayName
        {
            get
            {
                return PeopleEditorEntityDataKeys.DisplayName;
            }
        }

        public static string PrimaryEmail
        {
            get
            {
                return PeopleEditorEntityDataKeys.Email;
            }
        }
    }

There are couple of additional benefits to specifying these attributes. Apart from macking user and group identification easy, it lets any custom code which requires people picker to be able to use these additional attributes in its code in an implementation independent way, which is always a very good thing to do while designing new functionality. Second benefit is in regard to groups. I haven’t been able to create custom profiles for groups, however the only profile functionality i wanted for groups is email attribute. If we populate our picker entities during permission granting SharePoint will copy this email address and store it in the site collection. Thus If you did grant permissions to a group and someone wanted to send an email to this group, this is the email address that would be used. We use a distribution list email per group to full fill this requirement. Btw, if anyone else have another way of doing this please let me know, always keen to learn.

This basic functionality might be good enough in certain scenarios but is not the greatest when it comes to user feedback and is very vulnerable to typos. This is why SPTrustedIdentityTokenIssuer can be configured with a custom SPClaimsProvider. Instructions on how to create SPClaimProvider can be found at http://blogs.technet.com/speschka/ . I have created one for our organization, if anyone needs additional code examples please leave a comment and i will try putting a post on how to create it in more detail. After you have created a claim provider you can configure it for trusted identity token issuer from code as follows. Here loginProviderName is the name of the SPTrustedIdentityTokenIssuer that you have configured earlier and claimProviderName is the name of the SPClaimProvider.

SPSecurityTokenServiceManager stsManager = SPSecurityTokenServiceManager.Local;
SPTrustedLoginProviderCollection loginProviders = stsManager.TrustedLoginProviders;
SPTrustedLoginProvider loginProvider = loginProviders.GetProviderByName(loginProviderName);
loginProvider.ClaimProviderName = claimProviderName;
loginProvider.Update();

Or from SharePoint 2010 powsershell as follows

Set-SPTrustedIdentityTokenIssuer -Identity $loginProviderName -ClaimProvider $claimProviderName

One scenario where this becomes even more important is where you don’t want to allow users to sign in using Windows Integrated authentication but need to allow it for search indexing purposes. Yes you can create another zone and enable windows authentication on that zone only. This is a possible option but will complicate search indexing.

In a simpler environment there is a simpler option that does not require any custom coding at all. Here is how to do it… Create a SharePoint Trusted Login Provider. Following links might help you get started with that.

http://blogs.msdn.com/spidentity/archive/2010/01/04/claims-based-authentication-cheat-sheet-part-1.aspx and http://blogs.msdn.com/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx

Once this is done this will show up in the authentication provider configuration. Here testconnect is the name of the Trusted Login Provider.

After creating the Trusted Login Provider simply specify the following URL (adjusting testconnect to the name of your login provider).

When authentication is required the user will be redirected to this page which looks at the trust parameter in the query string. This parameter is used to automatically redirect the user to the login provider.

This is the quick and dirty way of specifying Sign in page URL. However this is not appropriate for all cases. I will try posting a follow up post that shows how to customize this sign in process a bit more.