Configuring Windows Live ID as Trusted Identity Provider for SharePoint 2010. - Hiran Salvi's Ramblings - Site Home

UPDATE:

====================

I have come to know that Windows Live team has stopped accepting new Requests to Microsoft Services Manager and they are suggesting to use

Adding Link to TechNet article http://technet.microsoft.com/en-us/library/ff973114.aspx

With Claims based Authentication SharePoint foundation can delegate authentication to Windows Live ID Security Token Service better Known as Microsoft Services Manager (http://msm.live.com) . I am trying to Provide Step by Step Configuration guide for this.

Configure Microsoft Services Manager ( aka: Windows Live ID Security Token Service)

Login to Microsoft Services Manager with your Live ID.
Click on Register Your Site.
You will Discover that you got redirected to INT (Integration) Environment don’t worry about this as this is part of Process.
On Register Page fill-in all required Values and Click Submit (Below is the Information what you would be Required to add)
- Name of your Site :- This is Common name of your site)
- DNS Name for your site in INT environment : This must be unique and you will need to remember this as this will be added as realm on SharePoint Server.
- Select Windows Live ID as Policy Group
- No need to Specify Application ID and Secret Key
- Click Submit
- Verify Details on Confirmation Page and Click Yes
You will get Successful Submission Message which will have link at the bottom which will take you to manage your site page.
On Manage your Site Click on Modify Editable Site Properties.
On this Page You will need to Update following information
- Domain Name : The domain name for which authentication requests to the Live ID STS will be generated. Use a Fully Qualified Domain Name.
- Default Return URL : The URL that the Windows Live ID STS will redirect a user to after successful authentication, for example: https://SharePointwebapplicationURL/_trust/default.aspx.
- DNS Name : The unique identifier provided in an authentication request to the Windows Live ID STS. This unique identifier enables look-up functionality for the Default Return URL. The DNS Name must correspond to the realm value specified in Windows Live ID authentication request. (eg. urn:subdomain:liveid)
- Default Cookie Expire URL : https://SharePointwebapplicationURL/_layout/images/blank.gif
- Override Authentication Policy : Configure the Override Authentication Policy with the following value: MBI_FED_SSL (This Option will not be available if you have not Checked Show advanced Properties)
- Click Submit
- Verify Properties on Confirmation Page and Click Yes to Confirm Changes.
You will have to Submit your Site for Compliance Review before you can Configure Prod environment. Click on links blow to know about Compliance Review
- Compliance Review Process https://msm.live.com/help/en-us/Compliance/C_ComplianceOverview.aspx
- Submitting a Site for Compliance Review https://msm.live.com/help/en-us/Tasks/T_AppsCompliance.aspx
- When to Submit for Compliance Review https://msm.live.com/help/en-us/Compliance/C_ComplianceWhen.aspx

Retrieve X509 Certificate for INT (Integration) Environment

Browse https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml using your Browser.
locate the <KeyDescriptor use=”signing” wsu:Id=”stscer”> node
- Copy Contents within the <X509Certificate> node.
Open Notepad and Paste the contents copied in above Step.
- Save this file as LiveID-INT.cer
Copy this Certificate file (LiveID-INT.cer) Your SharePoint Server.
You We will now need to Import this Certificate using MMC (This Steps needs to be done on all Servers in Farm)
- On SharePoint Server Start > Run > MMC
- From File Menu Choose Add/Remove Snap-in
- Select Certificates Click Add Select Computer Account Click Next
- Select Local Computer and Click Finish
- Now you will need to Import Certificate (LiveID-INT.cer) to following 3 places in MMC
  - Trusted Root Certification Authorities
  - Trusted People
  - SharePoint

Configure SharePoint 2010 to configure Live ID as trusted Identity Provider

Run SharePoint Management Shell as Administrator.
Run Following PowerShell Commands

$realm = "DNS Name Specified in Microsoft Services Manager"

$cert = "C:\Cert\LiveID-INT.cer"

$rootcert = Get-PfxCertificate $cert

New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

$ap = New-SPTrustedIdentityTokenIssuer -Name "LiveID-INT" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

Create New Web Application and Select Option Claims Based Authentication.
Check SSL option
From Authentication Types Select Trusted Identity Provider and Select Live ID.

Retrieve Passport Unique ID for your Windows Live ID.

Browse http://account.live.com and login with your live ID.
You will see your Account Information Page after login.
From Account Information Page find Unique ID.
Your Passport Unique ID (PUID) will be uniqueid@live.com

Create Site Collection & login to SharePoint site using Live ID

Create New Site Collection for the Web Application we created in above Steps

Add PUID as Site Collection Administrator

Once you Pass Compliance Review

Login to Microsoft Services Manager and click on Manage your Site
Select Site you would like to Submit for Production
Click on Submit Site Properties to Production
- Update Domain Name , DNS and Default Return URL’s for Production Environment and Click Submit
- Confirm your changes and click yes.

Retrieve X509 Certificate for Prod (Production) Environment

Browse https://nexus.passport.com/federationmetadata2/2007-06/federationmetadata.xml using your Browser.
locate the <KeyDescriptor use=”signing” wsu:Id=”stscer”> node
- Copy Contents within the <X509Certificate> node.
Open Notepad and Paste the contents copied in above Step.
- Save this file as LiveID-PROD.cer
Copy this Certificate file (LiveID-PROD.cer) Your SharePoint Server.
You We will now need to Import this Certificate using MMC (This Steps needs to be done on all Servers in Farm)
- On SharePoint Server Start > Run > MMC
- From File Menu Choose Add/Remove Snap-in
- Select Certificates Click Add Select Computer Account Click Next
- Select Local Computer and Click Finish
- Now you will need to Import Certificate (LiveID-PROD.cer) to following 3 places in MMC
  - Trusted Root Certification Authorities
  - Trusted People
  - SharePoint

Configure SharePoint 2010 to configure Live ID Production as trusted Identity Provider

Run SharePoint Management Shell as Administrator.
Run Following PowerShell Commands

$realm = "DNS Name Specified in Microsoft Services Manager"

$cert = "C:\Cert\LiveID-PROD.cer"

$rootcert = Get-PfxCertificate $cert

New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming

$ap = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live.com/login.srf" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

You can Create new SharePoint web application as steps above and use liveid as your trusted Identity Provider or Edit Web Application’s Authentication Provider we created in Steps Above.