I got Live ID running in Production with SharePoint 2010 after getting approval from Microsoft. This is for the new SharePointDevWiki.com SharePoint 2010 Enterprise site hosted by fpWeb. It will also host EndUserSharePoint.com and SharePointJoel.com to cater for Developers, End Users and IT Pros. We’re very excited about getting this launched for SPTechCon on 20th October. This project has been nearly a year in the making after tossing up the idea at SPC09 over a beer!
I had it working with LIVE ID INT, which is the Test authentication mechanism.
"The trusted login provider did not supply a token accepted by this farm"
Just thought I’d blog it here. I believe this is to do with the fact that LiveID is currently returning incorrect SAML, but I’m no expert here on this subject.
To add to Wictor’s steps, when doing it in prod. Make sure you create a Live ID .cer following Wictor’s instructions but grab it from https://nexus.passport.com/federationmetadata2/2007-06/federationmetadata.xml not https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml (remove the "-INT"). You’ll have to add these to the Certificates for local machine too, I deleted the INT certs as I did this as I did the INT work on production. I also rolled out the Trusted Identity Token Issuer by unticking the "Live ID INT" from the Web Application and then running Remove-SPTrustedIdentityTokenIssuer "Live ID INT". Then I could run the scripts below no probs and keep it clean.
HUGE CREDIT TO WICTOR WILEN
Things I’ve found
So now that I have it working, I figured I’d raise some issues I’ve found. If any of this is incorrect please let me know and I’ll update this.
The Sign In menu
The Sign In menu shows the PUID for the Live ID in use. You get User Profile for the user which is awesome! I made the "Name" property editable by Users so they can update this. That means wherever the User actually modifies things it’ll show that rather than the PUID.
User Profile Page
Once the User has updated his User Profile the My Profile does change the PUID too. I also changed my profile pic (not linked to MSN pic).
You’ll also notice that the presence icon is offline. Even though I’m logged into Messenger (honest guv!). I put my Messenger User Name into the SIP in my User Profile on the off chance and no dice there either.
No Email in User Profile
I also noticed it doesn’t even pull through the e-mail. I suspect I might need to add some more Claim Type Mappings.
All or Nothing
As the TechNet article says, you need a site you can give "All Users" from LiveID Read access to. This can seem a bit daunting, don’t worry the User Profile Sync won’t go and crawl all of Live ID It only adds Users to User Profiles as they authenticate for first time.
I added my Live ID as Site Collection Administrator and it appears to resolve fine.
But when I log in with that Live ID I get L
Turns out you can explicitly add Users but you need to add them with their PUID and this is not their MSN (tried with actual user name and got access denied) L To get the PUID you need to get the User to log into this site https://accountservices.passport-int.net/?ru=https://accountservices.passport-int.net/Credentials.srf%3Fvv%3D750%26mkt%3DEN-US%26lc%3D1033&vv=750&mkt=EN-US&lc=1033&id=10
and then go to Credentials and then to View Your Unique ID.
Grouping and Role based
So the other thing I found was that if you have multiple Site Collections, you need to get smarter about adding users. In AD scenario you’d use AD Groups and add the AD Groups once with appropriate Permission Level. But no such thing as Groups in Live ID, so you have to add each User to all your Site Collections.
I haven’t investigated User Profile Audiences yet, to see whether I can compile one that way, albeit can’t add Permissions, but could Target content that way.
The working script was (highlighted difference):
$realm = "urn:[blocked]:prod"
$certfile = "C:\SSL\liveidprod.cer"
$rootcert = Get-PfxCertificate $certfile
New-SPTrustedRootAuthority "Live ID Root Authority" -Certificate $rootcert
$upnclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
The failing one (from technet) was:
$realm = "urn: [blocked]:prod"
$certloc = "C:\SSL\liveidprod.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc);
New-SPTrustedRootAuthority -Name "Live ID STS Signing Public Key" -Certificate $cert;
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
$apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress";