0

Can anyone tell me whether I can create a custom active security tokebn service for sharepoint 2010. I'm basically looking to create a custom sts whereby I dont have to leave the sharepoint site itself in order to log in.

I have seen examples of creating a custom passive sts, but cant see anything for a custom passive sts.

I'm pretty new to WIF, so any pointers or help would be really appreciated.

EDIT (22 Nov 2011): Ok, maybe I'm looking at this all wrong. The first problem is that I have web services and a web site(s) that will need to be claims aware, and resolve requests to each as the same identity (In this case I cannot use a passive sts for the services). The second problem is that I want to be able to integrate the logon facility onto the homepage of my web site - my understanding is that this cant be achieved with a passive sts.

EDIT (28 Nov 2011): So on the recomendations below I have implmented thinktecture identity server. I've got this to work in the passive scenario quite easily, but am still unable to get this to work with the ws-trust endpoint (active scenario). I've been trying to create a custom login webpart using WSTrustChannelFactory and UserNameWSTrustBinding, but whenever I call ValidateToken I get an error stating "The issuer of the token is not a trusted issuer". Trust should be already established, as I can login using the passive logon mechanism.

Matt

Matt Whetton
  • 6,616
  • 5
  • 36
  • 57
  • When relying on claims based identity, you always "leave" the site. That's the whole point: outsourcing authentication to somebody else. If you are worried about look and feel, then yes, there're ways of customizing the experience but it will always be a separate entity. The first question you need to ask is why do you think you need claims based identity. "Active" and "Passive" STSs refer to something else that I suspect doesn't apply to your scenario. – Eugenio Pace Nov 22 '11 at 01:19
  • I've edited my post above - any help would be appreciated – Matt Whetton Nov 22 '11 at 12:03
  • 1
    You are correct that you need an "Active STS" for the web services (SOAP). One more question: who calls these services? A client? or SharePoint on behalf od the user? Also, the logon will be initiated from the web sites, but it will happen somewhere else (the STS). You can of course customize that so it looks like your own (e.g. same look and feel). The Identity Server mentioned by @nzpcmad is a good start if you want to build a custom STS. – Eugenio Pace Nov 22 '11 at 15:52
  • Thanks @EugenioPace - the web services will be called by both SharePoint (on behalf of the user) and some users may call them directly (only certain users will be able to call them directly). I was hoping that sharepoint would broker the request to the STS (without leaving the actual site) - is this not possible? I'll have a look at the identity server codeplex project. – Matt Whetton Nov 22 '11 at 16:54

2 Answers2

1
  • I have seen examples of creating a custom passive sts, but cant see anything for a active? passive sts.

Have a look at Identity Server. It's an active and passive custom security token service.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
0

After spending a significant amount of time on this I got to the root of my problem (I think). I was trying to create a custom logon webpart that could be deployed on the homepage of my application. It turns out that somewhere in the ValidateToken implementation there is a call to SPPassiveIssuerName.GetIssuerName. Within this method there is a decision made based on the result of a call to TrustedProviderSignInPage.IsTrustedPageRequest (this method returns true if the hhtpcontext request is for something within the http://xxxx/_trust/ virtual directory).

If TrustedProviderSignInPage.IsTrustedPageRequest returns true, SharePoint looks in the TrustedLoginIssuerNameRegistry which is fine as my certificate is registered as trusted. However, if it returns false SharePoint only checks the LocalLoginIssuerNameResgistry - which is basically hard coded to only return the built-in login issuer. As my homepage doesnt reside in the /_trust/ directory this is never going to work - which is incredibly annoying!

So in summary - you can probably only do this in SharePoint the page you're planning to put your login control on is in the /_trust/ directory.

IMPORTANT EDIT (01/12/2011): So after being thoroughly deflated yesterday, I had the idea of replacing the SharePoint built in issuer name registry (SPPassiveIssuerNameRegistry) with the standard ConfigurationBasedIssuerNameRegistry and adding in my IP-STS as a trusted issuer. This got me a little further along the line, but I was still getting an error when calling SetPrincipalAndWriteSessionToken, that the issuer could not be found in the issuer name registry. I couldn't work this out for hours, but in the end I decided ti implement a custom issuer name registry. After some debugging, it turns out that at some point during the claims creation process, SharePoint attempts to validate its built-in security token service (even though I'm not using it). So I reverted bag to the configuration based issuer name registry, and added in the SharePoint one as a trusted issuer (as well as my own) - and it all seems to work - woop! I'll blog the full solution at some point and post back here with a link. Lets hope it sticks!!

Matt

Matt

Matt Whetton
  • 6,616
  • 5
  • 36
  • 57