Integrating Windows Live ID, Google and Facebook Accounts with SharePoint 2013 - White Paper

  • Article

Federated authentication mechanism handles authentication by external providers which send the token back to SharePoint. So, Instead of we, creating accounts internally (in AD, SQL Server) for external users and partners, We can make use of external authentication providers like Microsoft Live ID Accounts, Google, Yahoo, Facebook accounts (or even external Active Directory - ADFS ) to manage authentication. Its extremely useful with public facing SharePoint sites, isn't it?

This article walks through step by step on integrating Windows Live ID, Google and Facebook account authentications with SharePoint 2013.

To start with, Here are the steps in summary:

  1. We need Windows Azure ACS (Access Control Service) as our Trusted Identity provider. Subscribe and get one.
  2. Add new Identity Provider for SharePoint 2013 with PowerShell.
  3. Authorize users by granting them access to the web application.

Step 1: Configure Azure ACS with required Providers:

Create a Windows Azure Account
We need Windows Azure Access Control Service (ACS) to handle authentication from external entities. From ACS we can to choose Providers like Microsoft Live ID, Google , etc. Create a windows Azure Account - Subscribe for Azure (you must have a Microsoft Live ID & may need credit card).
Go to: https://www.windowsazure.com/en-us/ and register a new account.

http://3.bp.blogspot.com/-qPGZamiYVds/Uoy0FPFmA_I/AAAAAAAAD6g/MIlrKr4swMQ/s640/windows+azure+signup.png

I registered a Trial account with Azure. If you are part of any Windows Azure user groups, you can obtain a free coupon and get Windows Azure 30 days free pass at: http://www.windowsazurepass.com/

Create New Azure Access Control Service

Configure Azure ACS

There are four settings we got to configure in ACS.

  1. Identity providers
  2. Relying party applications
  3. Rule groups
  4. Certificates and keys

Proceed to the below configurations one by one.

1. Identity Providers:

Integrate Facebook Authentication with SharePoint 2013:

For Facebook accounts integration with SharePoint 2013, We need to do one more step: Create New Application in Facebook and then add the provider as Facebook in ACS.

Now, in ACS:

2. Relying party applications:
Relying party application is generally a web site or application that uses ACS for Authentication. Here in our case, Its our SharePoint site. So, Lets create a Relying party Application.

3. Rule groups:

You can also map additional properties from providers.

4. Certificates and keys:
We have to Encrypt the traffic between ACS and our SharePoint environment by exchanging certificate between Azure ACS and SharePoint. So, we need a Digital certificate. You can create SSL certificate from development environments with MakeCert.exe.

MakeCert.exe is part of Windows SDK. You can download it from: http://go.microsoft.com/fwlink/p/?linkid=84091 .MakeCert lives under: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\BinSo, in command prompt: enter:
**
C:\cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"**

MakeCert.exe -r -pe -n "CN=crescent.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 11/15/2014

This will generate the certificate and install it automatically to the trusted certificate store. Or you can use:
MakeCert.exe -r -pe -n "CN=crescent.accesscontrol.windows.net" -sky exchange -ss my -len 2048 -e 11/15/2014 -sv "c:\Extranet.pvk" "c:\Extranet.cer "

If makecert.exe is not available, Use IIS self signed certificate creation with the specified common name, and the export the .CER & PFX files from Certificates Snap-in through MMC.

 
Import the Certificate to ACS:

Warning: MakeCert.exe is not recommended for Production environments!

 

Step 2: Add new Trusted identity Provider as Azure ACS

We've our authentication providers ready now! We've make SharePoint aware by creating a new "Trusted Authentication Provider". Here is the PowerShell script to create new trusted authentication provider.

Add-PSSnapin Microsoft.SharePoint.PowerShell#Realm we created in Azure$realm = "http://extranet.crescent.com" #Replace "crescent.accesscontrol.windows.net" and "extranet.crescent.com" with yours here!$signinurl = "https://crescent.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fextranet.crescent.com%2f" #Location of the certificate generated with Makecert.exe$certloc = "C:\extranet.crescent.com.cer"$rootcert = Get-PfxCertificate $certlocNew-SPTrustedRootAuthority "Windows Azure ACS" -Certificate $rootcert $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc) #Map the Fields from Rules Created for All Providers: Facebook , Google & Live ID# NameIdentifier Field$NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"# Email Field$Email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming#Given Name Field$GivenName = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "Display Name" –LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"$AccessToken = New-SPClaimTypeMapping -IncomingClaimType "http://www.facebook.com/claims/AccessToken" -IncomingClaimTypeDisplayName "Access Token" -SameAsIncoming$Expiration = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration" -IncomingClaimTypeDisplayName "Expiration" -SameAsIncoming #Create New Trusted Identity ProviderNew-SPTrustedIdentityTokenIssuer -Name "Live ID/Google/Facebook" -Description "Live ID/Google/Facebook" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier, $Email, $GivenName, $AccessToken, $Expiration -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" # IdentifierClaim defines the Field to display on User Name# E.g. If you use only Google: New-SPTrustedIdentityTokenIssuer -Name "Google Account" -Description "Google Account" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $NameIdentifier,$Email,$GivenName  -SignInUrl $signinurl -IdentifierClaim $Email.InputClaimType# Make sure that the IdentifierClaim is common for all providers, if you are using more than one!

Step 3: Authorize users by granting them access to the web application.

Associate Authentication provider to the target web Application:

Grant Users Access:
So the authentication part is over. we've to handle authorization from SharePoint side, as we do for Windows AD accounts. Lets create a user policy to grant all users of the trusted identity provider to Read access to all sites in the web application (Otherwise, They'll get "Access denied" error message.

Unit Test:
That's all! we are done!!

Verify users are able to access SharePoint site with Google & Facebook accounts. Here are some screen shots:
http://4.bp.blogspot.com/-P5uT8D_jSvk/UoyyVQ-5eyI/AAAAAAAAD6U/rSGBkhJQ-tQ/s640/SharePoint+2013+Login+with+Google+Account.png
Source: http://www.sharepointdiary.com/2013/11/integrating-live-id-google-facebook-accounts-with-sharepoint-2013.html