Showing posts with label LiveID. Show all posts
Showing posts with label LiveID. Show all posts

Tuesday 19 August 2014

SharePoint 2013 on-prem using Windows Live Id via Azure ACS

Overview:  I have a pretty simple requirement to allow users to register on my customers public SharePoint 2013 web sites.  I have setup custom providers and thought ACS was going to make me a hero at my client.  The whole experience is terrible and I can't see why anyone would use the default of LiveId via ACS due to the implementation.

Opinion: I hate the way ACS works with Windows Live Id, it is so bad I can't see a scenario when a client would use it.

Anyway, I have SP2013 SP1 on-prem and I want to hook at ACS allowing customer to register on the site and get elevate permissions on the site.  I'd like them to use multiple 3rd party authentication providers such as Facebook, Windows Live Id, LinkedIn and Google.  In my PoC I decide to simply use Live Id as it is the default on ACS and as both services are Microsoft owned it must be the easiest. 

I worked thru Wictor Wilem's post series and as usual Wictor has provide a great resource.  I had to make minor adjustments to get it to work for me on SP2013 but overall, Wictors series of posts is a good place to start.

The 1st issue I got was when logging in using Windows Live ID, I was continuously redirect back to the /_login/default.aspx page.

After bashing my head trying to figure out what the issue was I realised in Wictor's common issues post in the series, he mentioned the claims mapping/rule needs to be adjusted for Live ID authentication. 

I now was getting an access denied, which at least told me the claim was hooking up.

The next issue was now I was getting the message you are not authorised "Sorry, this site hasn't been shared with you."

Give all authenticated users access to the site as shown below.

Once you login you will notice a horrible looking user that is logged in.   You can assign permissions using the "Friendly Username".


Common public Federation (IdP) Identifcation provides are:
  • LiveId (MS - not where you would expect the MS offering to be)
  • Google (constantly changing - easy hookup)
  • FaceBook
  • LinkedIn
Common Enterprise IdP Servers/Services are:
  • Microsoft ADFS (best default option for greenfield SP)
  • PingFederate (pretty expensive but a comprehensive solution, use if already in place or the advanced features really suit the business at an enterprise level)
  • ThinkTextures IdentityServer (Great for customisation, difficult support but for the hardcore tecky type organisation a good option)
  • CA-SiteMinder (Good product, used in enterprises and hooks up well to SP.  Has a large set of tools and options).  Update: 19-Nov-2015, seen another large implementation of SiteMinder, it has expensive add-in modules and extremely problematic.  SP agent needs AD groups.
  • RSA Federated Identity Manager (No experience)
  • Entrust GetAccess (No Experience)
  • IBM Tivoli (CAM) (Had a hard time with this a few years back)
  • ComponentSpace (Good for .NET customisations, not a large Federation service Server)