Sunday, October 30, 2016

Login to SharePoint using Google Account

This post let you login to SharePoint onpremise application using google account as trusted identity provider/ Authenticate SharePoint using Google account/ Google to Authenticate SharePoint application.

Step 1: Create Google Account
  • Go to the Google developers console  ​
  • Sign in if you have an account, otherwise create an account and log in
  • Click on Create Project
  • Enter a name for your project e.g. SharePoint Authentication and click Create
 The project will now be created it will take a few seconds and then you will be taken into the app.
  • Click on APIs & auth (make sure you enabled Google + and Gmail API's)
  • Click on Consent Screen
  • Enter a name for your project and click Save

  • Click on Credentials
  • Click on Create new Client ID
  • Select Web application and click on Create Client ID
  • Copy the Client ID and Client secret from the screen that is displayed
Step 2: Create Windows Azure Access Control Namespace

  • Select App Services, Active Directory and finally Access Control


  • Enter a name for your access control namespace, select the region you are in and click Create

  • Click on Active Directory from the navigation menu on the left

  • Click on Access Control Namespaces
  • Select the namespace that you have just created and click on Manage
Step 3: Configure Access Control Service
  • Click on Identity providers
  • Click on Add
  • Select Google and click on Next

  • Enter the Client ID and Client secret that you copied from your Google app in step 1 and click Save

  • Click Relying party applications
  • Click on Add
  • Enter a name for the replying party application in the name field
  • In Realm enter the URL of your SharePoint web application
  • In return URL enter the URL of your SharePoint web application followed by /_trust

  • In the token format select SAML 1.1

  • Change the token lifetime (secs) to 3000 and click Save

  • Click on Rule Groups
  • Click on Add
  • Enter a name for the rule group and click Save

  • Click on Generate
  • Select     Google     and click on Generate
  • Click Save
Step 4: Certificates and Keys
  • Click on Certificates and Keys
  • Click on Save
  • Select your relying party application from the drop down list (You created it in step 3)
  • On the page copy the MakeCert command

  • On your client machine you will need to generate a certificate to be used for the trust. Launch a command prompt as administrator, navigate to the directory where makecert is installed and run the copied command.
  • If you don't have makecert you can get it from here: makecert

  • The certificate will be deployed to your certificate store, you will need to export a .CER and .PFX. (spauthenticate.cer / spauthenticate.pfx)
  • Return to your access control service browser window.
  • Click on Browse
  • Browse to the .pfx file you created in the previous step and click open
  • Enter the password and click Save
Step 5: SharePoint Configuration
  • Logon to your SharePoint server
  • Copy the .cer file you created in a previous step to the server
  • Open the SharePoint Management Shell as administrator
  • Run the following PowerShell commands
    $realm = "http://apps.sharepoint.com"
  • Where the url is the url of your SharePoint web application
    $signinurl = "https:// sharepointappslogin.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https://apps.sharepoint.com/"
     
  • Replacing the highlighted sections with your access control service URL and your web application URL
    $certlocation = "C:\Certificates\spauthenticate.cer"
  • Replacing the path with the location of your .cer file
    $rootcertificate = Get-PfxCertificate $certlocation
    New-SPTrustedRootAuthority "GoogleTrust" -Certificate $rootcertificate
    $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certlocation)
    $NameIdentifier = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
  • # Email Field
    $Email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
    #Given Name Field
    $GivenName = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "Display Name" –LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

    #Subject Name Field

    $Subject = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/identity/claims/subject" -IncomingClaimTypeDisplayName "Subject" –SameAsIncoming
  • New-SPTrustedIdentityTokenIssuer -Name "Google Authentication" -Description "Google Authentication" -Realm $realm -ImportTrustCertificate$certificate -ClaimsMappings $ClaimTypingMapping -SignInUrl $signinurl -IdentifierClaim"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

  • Once you have run the PowerShell commands you will need to add the identity provider to your web application.
  • Open SharePoint Central Administration
  • Click on Application Management
  • Click on Manage Web Applications
  • Select the Web Application that will be using Google for authentication
  • Click on authentication providers in the toolbar
  • Select the relevant zone, this will be default if you only have one zone.

  • Scroll down the window, select Trusted Identity provider and select Google Authentication

Step 6: Testing
  • Open a web browser and navigate to your root site collection on the web application. You should get a drop down list showing the logon options. You can customize this page and set as the custom login page for Trusted Identity provider.

  • Select Google Authentication and you should get the Google authentication page.
  • Enter your google credentials and click sign in.
  • You should be returned to your SharePoint page. You will probably be given an access denied message because the account has not been given any rights to your site. Just grant rights as you would normally.
  • When granting rights to Google users you will need to use the full email address. People picker will not resolve the name unless the user is already added but you will still be able to add new users.

7 comments:

  1. I have waisted my whole week by looking for a post like this. Thanks for sharing this useful post and I have implemented this. Really appreciate.

    ReplyDelete
    Replies
    1. https://www.linkedin.com/pulse/login-sharepoint-using-google-trusted-identity-provider-jollgin-sam?trk=prof-post

      Delete
  2. how about linkedin provider for onprem sharepoint ? is there any connector available in Azure ?

    ReplyDelete
  3. No Jinson, Azure does not have linkedin provider option. You can write custom STS and set it as Trusted Identity provider for your SharePoint webapplication.

    Thanks, Jollgin

    ReplyDelete
  4. I'm getting hung up on Step 2:

    - Log into the Azure portal https://manage.windowsazure.com/
    Click on new

    - Select App Services, Active Directory and finally Access Control

    Is it possible this is moved to a different location? Can't seem to find anything related to Access Control or Identity Providers in the Azure Portal.

    ReplyDelete
    Replies
    1. Hello Jeremy,

      You can get Access Control NamseSpaces under your Active Directory.

      Login to https://manage.windowsazure.com

      Click on Active Directory

      'Access Control Namespaces' will be your second tab and click on that.

      Click New at Bottom - Select Access Control and Quick create

      Delete
    2. unfortunately... https://azure.microsoft.com/en-us/blog/acs-access-control-service-namespace-creation-restriction/

      Delete