SharePoint 2010 with Live ID

I got Live ID running in Production with SharePoint 2010 after getting approval from Microsoft. This is for the new SharePointDevWiki.com SharePoint 2010 Enterprise site hosted by fpWeb. It will also host EndUserSharePoint.com and SharePointJoel.com to cater for Developers, End Users and IT Pros. We’re very excited about getting this launched for SPTechCon on 20th October. This project has been nearly a year in the making after tossing up the idea at SPC09 over a beer!

I had it working with LIVE ID INT, which is the Test authentication mechanism.

I ended up following Wictor’s Visual Guide which has slightly different PowerShell and this worked. Following the TechNet article failed with the error:

"The trusted login provider did not supply a token accepted by this farm"

Just thought I’d blog it here. I believe this is to do with the fact that LiveID is currently returning incorrect SAML, but I’m no expert here on this subject.

To add to Wictor’s steps, when doing it in prod. Make sure you create a Live ID .cer following Wictor’s instructions but grab it from https://nexus.passport.com/federationmetadata2/2007-06/federationmetadata.xml not https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml (remove the "-INT"). You’ll have to add these to the Certificates for local machine too, I deleted the INT certs as I did this as I did the INT work on production. I also rolled out the Trusted Identity Token Issuer by unticking the "Live ID INT" from the Web Application and then running Remove-SPTrustedIdentityTokenIssuer "Live ID INT". Then I could run the scripts below no probs and keep it clean.

HUGE CREDIT TO WICTOR WILEN
for this!

Things I’ve found

So now that I have it working, I figured I’d raise some issues I’ve found. If any of this is incorrect please let me know and I’ll update this.

The Sign In menu

The Sign In menu shows the PUID for the Live ID in use. You get User Profile for the user which is awesome! I made the "Name" property editable by Users so they can update this. That means wherever the User actually modifies things it’ll show that rather than the PUID.

to

User Profile Page

Once the User has updated his User Profile the My Profile does change the PUID too. I also changed my profile pic (not linked to MSN pic).


Presence

You’ll also notice that the presence icon is offline. Even though I’m logged into Messenger (honest guv!). I put my Messenger User Name into the SIP in my User Profile on the off chance and no dice there either.


No Email in User Profile

I also noticed it doesn’t even pull through the e-mail. I suspect I might need to add some more Claim Type Mappings.


All or Nothing

As the TechNet article says, you need a site you can give "All Users" from LiveID Read access to. This can seem a bit daunting, don’t worry the User Profile Sync won’t go and crawl all of Live ID ;-) It only adds Users to User Profiles as they authenticate for first time.

I added my Live ID as Site Collection Administrator and it appears to resolve fine.


But when I log in with that Live ID I get L


Turns out you can explicitly add Users but you need to add them with their PUID and this is not their MSN (tried with actual user name and got access denied) L To get the PUID you need to get the User to log into this site https://accountservices.passport-int.net/?ru=https://accountservices.passport-int.net/Credentials.srf%3Fvv%3D750%26mkt%3DEN-US%26lc%3D1033&vv=750&mkt=EN-US&lc=1033&id=10
and then go to Credentials and then to View Your Unique ID.


Grouping and Role based

So the other thing I found was that if you have multiple Site Collections, you need to get smarter about adding users. In AD scenario you’d use AD Groups and add the AD Groups once with appropriate Permission Level. But no such thing as Groups in Live ID, so you have to add each User to all your Site Collections.

I haven’t investigated User Profile Audiences yet, to see whether I can compile one that way, albeit can’t add Permissions, but could Target content that way.

Scripts

The working script was (highlighted difference):

$realm = "urn:[blocked]:prod"

$certfile = "C:\SSL\liveidprod.cer"

$rootcert = Get-PfxCertificate $certfile

New-SPTrustedRootAuthority "Live ID Root Authority" -Certificate $rootcert

$emailclaim = New-SPClaimTypeMapping     -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress"     -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress"     -SameAsIncoming

$upnclaim =  New-SPClaimTypeMapping     -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"     -IncomingClaimTypeDisplayName "UPN"     -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

$authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID"     -Description "LiveID" -Realm $realm -ImportTrustCertificate $certfile     -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live.com/login.srf"     -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

 

The failing one (from technet) was:

$realm = "urn: [blocked]:prod"

$certloc = "C:\SSL\liveidprod.cer"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc);

New-SPTrustedRootAuthority -Name "Live ID STS Signing Public Key" -Certificate $cert;

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming;

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";

$apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress";


 

7 thoughts on “SharePoint 2010 with Live ID”

  1. Great post! We have Live ID authentication on our MOSS 2007 site. Making sure Live ID auth worked in SharePoint 2010 was one of the big things we were waiting for before initiating the upgrade process.

    -Eugene

  2. Thanks Jeremy!
    (Unfortunatley) Live ID only authenticates the user it never gives out any claim other than the UUID, regardless what claims you request. This is by design.
    Cheers
    /WW

  3. Jeremy, can you write few lines about how to get the site approved by Microsoft. I’m gonna try using your info and the ones from Wictor to get to prod.

  4. This sequence was motivated by a conversation had with Phil Coates at a Perth SharePoint Individual Team conference. 

  5. I am doing the job in a foremost SharePoint development company being a SharePoint developer from previous four years. I’ve also talents in producing technical articles and other content on SharePoint Development.

     

  6. In this publish we will work on a finish SharePoint 2010 remedy that needed developing details, papers collections as well modifying the details types using InfoPath 2010 to finish the remedy development

  7.  This is just great, I really love it. We need several blogs like this.
    You have great info and it is really good. I bookmarked this website and
    will come back.

Leave a Reply