Configure the identity handling in the public site – Part 4

In the previous post we setup Azure ACS and we were able to logout and authenticate. But we haven’t configured the return on what we do after the user has been authenticated. This video walks through the setup of handling the return identity.

Below are example sections that I used to edit my web config file as you see in the video. It’s important to note these are specific to SharePoint 2013.

 

1. Add to the bottom of the SharePoint Group
——
<section name=”ApplicationAuthentication” type=”Microsoft.SharePoint.IdentityModel.ApplicationAuthenticationConfigurationSection, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
——

Example
—————————–
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<configSections>
<sectionGroup name=”SharePoint”>
<section name=”SafeControls” type=”Microsoft.SharePoint.ApplicationRuntime.SafeControlsConfigurationHandler, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”RuntimeFilter” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartLimits” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartWorkItem” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WebPartControls” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”SafeMode” type=”Microsoft.SharePoint.ApplicationRuntime.SafeModeConfigurationHandler, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”MergedActions” type=”System.Configuration.SingleTagSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”PeoplePickerWildcards” type=”System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”WorkflowServices” type=”Microsoft.SharePoint.Workflow.ServiceConfigurationSection, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<section name=”BlobCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”OutputCacheProfiles” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”ObjectCache” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”MediaAssets” type=”System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />
<section name=”ApplicationAuthentication” type=”Microsoft.SharePoint.IdentityModel.ApplicationAuthenticationConfigurationSection, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</sectionGroup>
—————————–

2. Add to section before Dynamics.
——
<section name=”microsoft.identityModel” type=”Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
——

Example
——————————-
<section name=”microsoft.identityModel” type=”Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<sectionGroup name=”Microsoft.Dynamics”>
<section name=”Session” type=”Microsoft.Dynamics.Framework.BusinessConnector.Configuration.SessionConfigurationSection, Microsoft.Dynamics.Framework.BusinessConnector, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<section name=”ServerState” type=”Microsoft.Dynamics.Framework.Portal.Configuration.ServerStateConfigurationSection, Microsoft.Dynamics.Framework.Portal, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<section name=”AppFabricCaching” type=”Microsoft.Dynamics.Framework.Portal.Configuration.AppFabricConfigurationSection, Microsoft.Dynamics.Framework.Portal, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
</sectionGroup>
—————————-

3. Add to bottom of the config file.
——
<microsoft.identityModel>
<service saveBootstrapTokens=”true”>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<audienceUris>
<add value=”http://axr3mavm11/sites/public/Enterprise%20Portal/UserRequestLoginAzure.aspx&#8221; />
<add value=”http://axr3mavm11/sites/public/&#8221; />
</audienceUris>
<issuerNameRegistry type=”Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<trustedIssuers>
<add thumbprint=”XXXX87097479B56E21B551E3F60C35FFEFXXXXX” name=”http://axr3mavm11&#8243; />
</trustedIssuers>
</issuerNameRegistry>
<issuerTokenResolver type=”Microsoft.SharePoint.IdentityModel.SPIssuerTokenResolver, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlerConfiguration>
<clear />
<add type=”Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<add type=”Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”>
<samlSecurityTokenRequirement>
<nameClaimType value=”http://schemas.microsoft.com/sharepoint/2009/08/claims/userid&#8221; />
</samlSecurityTokenRequirement>
</add>
<add type=”Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled=”false” issuer=”https://none&#8221; realm=”https://none&#8221; />
<cookieHandler mode=”Custom” path=”/” name=”techsFedAuth”>
<customCookieHandler type=”Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</cookieHandler>
</federatedAuthentication>
</service>
</microsoft.identityModel>
——

Example
————————————
<location path=”_layouts/15/dmsdownload.aspx”>
<system.web>
<httpRuntime maxRequestLength=”2097151″ executionTimeout=”3600″ />
</system.web>
</location>
<microsoft.identityModel>
<service saveBootstrapTokens=”true”>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<audienceUris>
<add value=”http://axr3mavm11/sites/public/Enterprise%20Portal/UserRequestLoginAzure.aspx&#8221; />
<add value=”http://axr3mavm11/sites/public/&#8221; />
</audienceUris>
<issuerNameRegistry type=”Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<trustedIssuers>
<add thumbprint=”XXXX687097479B56E21B551E3F60C35FFEFFXXXX” name=”http://axr3mavm11&#8243; />
</trustedIssuers>
</issuerNameRegistry>
<issuerTokenResolver type=”Microsoft.SharePoint.IdentityModel.SPIssuerTokenResolver, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlerConfiguration>
<clear />
<add type=”Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<add type=”Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”>
<samlSecurityTokenRequirement>
<nameClaimType value=”http://schemas.microsoft.com/sharepoint/2009/08/claims/userid&#8221; />
</samlSecurityTokenRequirement>
</add>
<add type=”Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled=”false” issuer=”https://none&#8221; realm=”https://none&#8221; />
<cookieHandler mode=”Custom” path=”/” name=”techsFedAuth”>
<customCookieHandler type=”Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</cookieHandler>
</federatedAuthentication>
</service>
</microsoft.identityModel>
</configuration>
————————————

 

In the second half of the video we configured the TrustedRootAuthority to be out Azure ACS namespace. These where the commands we used in that sequence

1. Establish the claims mappings

$claim1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&#8221; -IncomingClaimTypeDisplayName “ACS Name Identifier Claim” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-nameidentifier&#8221;
$claim2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider&#8221; -IncomingClaimTypeDisplayName “ACS Identity Provider” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-identityprovider&#8221;
$claim3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name&#8221; -IncomingClaimTypeDisplayName “ACS username” -LocalClaimType “http://schemas.microsoft.com/custom/claim/type/2013/07/acs-username&#8221;

2. Provide path to the certificate

$acscert = Get-PfxCertificate c:\temp\ACSCertVM6.cer

It’s important that the certificate you are importing here matches the certificate you have used on you Azure ACS setup.

3. Establish the TrustedIdentityTokenIssuer

New-SPTrustedIdentityTokenIssuer -Name “AzureACS” -Description “Azure ACS” -Realm “urn:axr3mavm6:AzureACS”  -ImportTrustCertificate $acscert -SignInUrl “https://axr3mavm6.accesscontrol.windows.net/v2/wsfederation&#8221; -ClaimsMappings $claim1,$claim2,$claim3 -IdentifierClaim $claim1.InputClaimType

 

-Name

In this example I used AzureACS. You can use any name but remember what you use as it gets entered into AX in a later step.

-Relam

As you saw in the video the realm I created to match the Relay part I created on ACS.

-SignInUrl

This will need to match your Azure ACS namespace.

 

4. Load cert

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($acscert)

5. Associate Cert with the TrusedRoothAuthority

$spcert = New-SPTrustedRootAuthority -Certificate $cert -Name “ACSTokenSigningCert”

 

Also in the video I turned on debugging on my web site which is done in this line in the web.config.

<compilation batch=”false” debug=”true”>

 

Links for Reference

https://technet.microsoft.com/EN-US/library/dn715949.aspx

 

There are a lot of steps in this one so tread carefully as things like the thumbprint can get extra characters when copy and pasting or lines can get truncated so just check what you have copied and pasted before changing the web.config or executing the command in power shell.

Cheers

Lachlan

6 responses to “Configure the identity handling in the public site – Part 4

  1. Pingback: Azure Login Page Setup – Part 5 | OrganicAX·

  2. Pingback: Azure Login Page Setup – Part 5 - Microsoft Dynamics AX Community·

  3. Pingback: Create and sign on to the Private portal – Part 6 | OrganicAX·

  4. Pingback: Steps to configure Azure ACS claims Enterprise Portal | OrganicAX·

  5. Hi Lachlan,
    I really appreciate your blog! I am on part 4 of configuring Azure ACS Claims Enterprise Portal. We use Sharepoint 2010. Do you have an example of adding the different sections to the web config file that would work for Sharepoint 2010?

    Thanks!
    Dana

    Like

    • Hi Dana
      The structure of the edits web config should be similar but the version reference might be different. I don’t have an example currently as all of the implementations I’ve worked on have been with SharePoint 2013. SharePoint relies on the Windows Identity Foundation so it will also depend on the Windows operating system you are running on. So if you follow the standard SharePoint documentation to create a claims site then you should check the references in the web config that get created on your machine and then you will be able to copy those for your site.

      Cheers
      Lachlan

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s