locked
Does SharePoint 2010 support SAML 2.0 assertions? RRS feed

  • Question

  • I'm configuring a SharePoint application to use AppFabric Access Control Service (ACS).

    After the redirection from the ACS to my SP app, I get the following error on the "_trust" URI

    "D4014: A SecurityTokenHandler is not registered to read security token ('Assertion', 'urn:oasis:names:tc:SAML:2.0:assertion')."

    However, If I configure ACS to issue SAML 1.1 assertions, then everything goes well.

    1) Does SharePoint supports 2.0 assertions "out of the box"?

    2) If no, is it possible to add/enable this support?

    Thanks

    Pedro

     

     

     

     


    http://pfelix.wordpress.com
    Tuesday, March 15, 2011 4:52 PM

Answers

All replies

  • Yes, I found no SAML 2.0 security token handler registered in Web.Config  on my SharePoint 2010 foundation test machine. Only what follows:

     

          <securityTokenHandlers>

            <clear />

            <add type="Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

            <add type="Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">

              <samlSecurityTokenRequirement>

                <nameClaimType value="http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" />

              </samlSecurityTokenRequirement>

            </add>

            <add type="Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

          </securityTokenHandlers>

     

     

    If you want to write a custom security token handler to handle SAML 2, you can create a class that derives from Saml2SecurityTokenHandler. Please refer to the following URL for more:

    http://msdn.microsoft.com/en-us/library/ee517261.aspx

    http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.tokens.saml2.saml2securitytokenhandler.aspx

    http://blogs.msdn.com/b/chunliu/archive/2010/04/02/how-to-make-use-of-a-custom-ip-sts-with-sharepoint-2010-part-2.aspx

    http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=36

    • Marked as answer by GuYuming Tuesday, March 22, 2011 6:52 AM
    Friday, March 18, 2011 5:09 AM
  • SharePoint does not support SAML 2.0 currently.  We have not test with writing custom seucrity token handler and will not be supporting this scenario if problem arise from it.

    thanks,

    Amy

    • Marked as answer by GuYuming Monday, February 18, 2013 3:52 AM
    Monday, February 11, 2013 7:25 PM
  • In my opinion even when we register Saml2SecurityTokenHandler in web.config in Sharepoint it will not work. Just I think Sharepoint 2010/2013 doesn't support it yet ;/

    Tuesday, March 12, 2013 5:29 PM
  • based on the posts you made recently, i think you had spent more time than me in WIF;

    you make me think it can be a problem in this thread: http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopmentprevious/thread/2493bd71-f9bb-4dc5-ba35-c2a7c1e6562c/#72a8f3e1-bc8e-4511-97c4-81370e8efb80 , something hardcoded to call SPSaml11SecurityTokenHandler.


    Wednesday, March 13, 2013 7:43 AM
  • Yes, there is a Saml2SecurityTokenHandler and we can add this one to web.config but I think sharepoint internally doesn't support SAML 2.0 so far in spite of all. So meanwhile I've created SAML 1.1 token from SAML 2.0 token assertion and this works.
    • Marked as answer by GuYuming Wednesday, March 13, 2013 8:23 AM
    Wednesday, March 13, 2013 7:57 AM
  • Hello CaMeL023,

    I am new to authentication providers, can you please provide the steps to create this?

    I have code which accepts SAML 2.0 tokens but I still need to add users to my SP2010 app user list.

    Please help me in removing this obstacle.

    Your help is greatly appreciated.


    Computer is a box with magic called software.

    Thursday, September 25, 2014 4:20 AM
  • Yes, there is a Saml2SecurityTokenHandler and we can add this one to web.config but I think sharepoint internally doesn't support SAML 2.0 so far in spite of all. So meanwhile I've created SAML 1.1 token from SAML 2.0 token assertion and this works.

    Hi CaMeL023,

    I am new to authentication providers, can you please provide the steps to create this?

    I have code which can decipher the SAML 2.0 tokens but I am not able to remove the windows authentication - I still need to add users to my SP2010 app user list.

    If this is not supported, I am good to go with SAML 1.1 token from SAML 2.0 assertion.

    Your help is greatly appreciated.


    Computer is a box with magic called software.

    Tuesday, September 30, 2014 7:27 AM
  • Hi CaMeL023,

    Could you please share your experience and some kind of code to develop the same scenario?

    Thanks.



    u Muthu

    Wednesday, October 1, 2014 3:54 PM
  •   Hi,

         SharePoint 2010 & 2013 doesn't accept SAML 2.0 but only SAML 1.1. Unfortunatelly this is not easy task to implement solution for this. 

     This is scenario how I did this:

      BlackBox  - IP-IDP (all users)

      HTTPHandler - (RP-STS):

      - read SAML 2.0

      - transforms SAML 2.0 -> SAML 1.1

      - create WIF message as wrapper for SAML 1.1 token

      - send wif message into sharepoint (sharepoint accepts WIF message for correct authorization)

        (WIF=Windows Identity Foundation).

      SharePoint 2013 - Client which accepts message (assertion with claims) from HttpHandler.

      but additional I should configure sharepoint to accepts such tokens from trusted issuer (Trust section in CA, add some certificates to machine store), so some powershell scripts for accepting claims sent in saml assertion must be run in sharepoint side.

    Thursday, October 2, 2014 9:22 AM
  • That's helpful CameL023,

    However, I am stuck for more than 2 weeks configuring the same and none including me is happy with it.
    After reading a lot over internet,

    A. I understand this way:

    1. We already have an SSO provider or IP-IDP (or IP-STS) in our firm which issues SAML 2.0 tokens.
    2. I need to create an RP-STS to act as the intermediary between my sharepoint application and the IP-IDP.
    3. RP-STS needs to redirect the user to the IP-IDP's site for authenticating (asking credentials).
    4. Once the user finishes entering the credentials, the IP-IDP redirects the user back to the IP-STS consumer with a SAML 2.0 token.
    5. My RP-STS has to understand the SAML 2.0 token and ensure that the SharePoint app understands the same - by converting the SAML 2.0 token to SAML 1.1 token.
    6. Then my SharePoint app displays the home page to the user upon successful authentication else, the error page.

    B. This is what I did:

    1. Followed this link - http://msdn.microsoft.com/en-us/library/office/ff955607(v=office.14).aspx
    2. Created a new Web application which uses claims based authentication.
    3. Created a trusted login provider - a simple STSService which uses the STSTestCert certificate.

    C. These are my questions bothering me:

    Q.1. Which type of Authentication provider I need to use?

    • It is definitely not Windows Authentication.
    • It maybe Forms based Authentication.
    • It may also be a trusted provider.

    Q.2. Where does the HTTP handler fit in - the one you specified?

    Q.3. Where exactly do I need to enable SAML 1.1 token accepting feature in my SharePoint app?

    Q.4. You see, in the link under section B 1st point I mentioned earlier, if you look at the left hand navigation tree, you will come to know how confused I am - which one supports SAML and is the fastest?

    So my humble request - please provide the answers to my questions above.


    Computer is a box with magic called software.

    Thursday, October 16, 2014 11:23 AM
  •   Hi,

          You must create in the SharePoint side some PowerShell configuration to make your provider (RP-STS - http handler) to be trusted issuer. In this configuration you must add some PowerShell scripts to create right claims in sharepoint to provider authorization process. What is also imported you must add IDP assertion certificate to your trusted store in SharePoint Central Administration (Security -> Trusted Zone (sth like this)), otherwise you will not be able to login to SP.

      Best regards,

      Kamil


    • Edited by CaMeL023 Tuesday, October 28, 2014 7:49 AM
    Tuesday, October 28, 2014 7:49 AM
  •   Hi,

          You must create in the SharePoint side some PowerShell configuration to make your provider (RP-STS - http handler) to be trusted issuer. In this configuration you must add some PowerShell scripts to create right claims in sharepoint to provider authorization process. What is also imported you must add IDP assertion certificate to your trusted store in SharePoint Central Administration (Security -> Trusted Zone (sth like this)), otherwise you will not be able to login to SP.

      Best regards,

      Kamil


    Hi CaMeL023,

    My situation is that we have an existing SSO provider in our intranet which we would like to use.

    The existing SSO provider accepts and issues tokens based on SAML 2.0.

    Our application is built on SharePoint 2010.

    How do I ensure that both of them communicate in order to allow user access our application? Is it possible? Do I require an STS in this case?


    Computer is a box with magic called software.

    Monday, November 3, 2014 8:04 AM
  • Hi Pedro,

    I found it the hard way but there is no support for SAML 2.0 in SharePoint 2010.

    I had to tailor two custom ASP.NET webpages - one for creating and sending the token and other one for consuming the reply from my company's identity provider.

    Be aware that the customization I did worked very well when it came to reading the data from my site.

    Since my site was not accepting any data from users, it was smooth overall - but if you provide write functionality to your site, you might need to add additional layer of verfication.

    I was able to capture the IP address but there is nothing called a domain/userid when it comes to this implementation.

    Overall, my approach went well and I am proud of working out a solution for it.


    Computer is a box with magic called software.

    • Proposed as answer by shreeharshas Monday, March 21, 2016 6:55 AM
    Monday, March 21, 2016 6:55 AM