11 Apr 2010 at 02:32
Zubair Ahmed
SharePoint
164 Comments
After you have configured a SPTrustedIdentityTokenIssuer in your farm and enabled this provider as an authentication provider for a web application you should be able to see this provider in people picker as a top level node. You might be a little disappointed at this stage if you tried to search anything in the picker. Any text you enter always get resolved by the provider that you just configured. This is because SPTrustedIdentityTokenIssuer by default has its own claim provider that is quite basic in its functionality. It accepts any text entered by the user as it is unaware of the attribute source of your SPTrustedIdentityTokenIssuer.
This basic functionality might be good enough in certain scenarios but is not the greatest when it comes to user feedback and is very vulnerable to typos. This is why SPTrustedIdentityTokenIssuer can be configured with a custom SPClaimsProvider. Instructions on how to create SPClaimProvider can be found at http://blogs.technet.com/speschka/ . I have created one for our organization, if anyone needs additional code examples please leave a comment and i will try putting a post on how to create it in more detail. After you have created a claim provider you can configure it for trusted identity token issuer from code as follows. Here loginProviderName is the name of the SPTrustedIdentityTokenIssuer that you have configured earlier and claimProviderName is the name of the SPClaimProvider.
SPSecurityTokenServiceManager stsManager = SPSecurityTokenServiceManager.Local;
SPTrustedLoginProviderCollection loginProviders = stsManager.TrustedLoginProviders;
SPTrustedLoginProvider loginProvider = loginProviders.GetProviderByName(loginProviderName);
loginProvider.ClaimProviderName = claimProviderName;
loginProvider.Update();
Or from SharePoint 2010 powsershell as follows
Set-SPTrustedIdentityTokenIssuer -Identity $loginProviderName -ClaimProvider $claimProviderName
08 Apr 2010 at 08:42
Zubair Ahmed
SharePoint
115 Comments
If you have tried to create a SharePoint web application in 2010 with multiple authentication providers you might have felt the need for a custom sign in page. SharePoint 2010 ships with a custom page that contains a drop down and allows the user to select the authentication provider of their choice. This however does not always meet the need, this is why SharePoint 2010 allows customization of sign in page by specifying the it during authentication provider configuration.
One scenario where this becomes even more important is where you don’t want to allow users to sign in using Windows Integrated authentication but need to allow it for search indexing purposes. Yes you can create another zone and enable windows authentication on that zone only. This is a possible option but will complicate search indexing.
In a simpler environment there is a simpler option that does not require any custom coding at all. Here is how to do it… Create a SharePoint Trusted Login Provider. Following links might help you get started with that.
http://blogs.msdn.com/spidentity/archive/2010/01/04/claims-based-authentication-cheat-sheet-part-1.aspx and http://blogs.msdn.com/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx
Once this is done this will show up in the authentication provider configuration. Here testconnect is the name of the Trusted Login Provider.
After creating the Trusted Login Provider simply specify the following URL (adjusting testconnect to the name of your login provider).
When authentication is required the user will be redirected to this page which looks at the trust parameter in the query string. This parameter is used to automatically redirect the user to the login provider.
This is the quick and dirty way of specifying Sign in page URL. However this is not appropriate for all cases. I will try posting a follow up post that shows how to customize this sign in process a bit more.
