This document outlines steps involved in Integrating SharePoint 2010 with OAM 10g.
Prerequisites:
Step 1
In web.config of Central Admin (C:\inetpub\wwwroot\wss\VirtualDirectories\24195\web.config [on your server the folder name maybe different]) - Don't forget to make a backup first.
REPLACE
Deploy OAMCustomMembershipProvider.dll to GAC
(C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\gacutil.exe - This could be different on your server)
gacutil -I D:\OAM\access\oblix\apps\webgate\OAMCustomMembershipProvider\OAMCustomMembershipProvider.dll
Alternatively drag and drop the OAMCustomMembershipProvider.dll to c:\windows\assembly
Step 3
In web.config of SecurityTokenServiceApplication Application (Application under SharePoint Web Services Site)
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config
Don't forget to make a backup first.
Add the below block right under </system.net>:
<system.web>
<membership>
<providers>
<add
name="CustomLDAPMembershipProvider" type="Oracle.CustomMembershipProvider, OAMCustomMembershipProvider,Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1, processorArchitecture=AMD64"
server="[LDAP Server Name]"
port="389"
useSSL="false"
useDNAttribute="false"
userNameAttribute="uid"
userContainer="dc=[company],dc=com"
userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" ValidationURL=http://[YourServerName]/ValidateCookie.html
DebugFile="D:\OAM\Logs\debug.log"
OAMAuthUser="OAMAuthCookie"/>
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add
name="CustomRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389"
useSSL="false"
groupContainer="cn=groups,dc=<Company>,dc=com"
groupNameAttribute="cn"
groupMemberAttribute="uniquemember"
userNameAttribute="uid"
groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
Make sure the validation URL works (http://[YourServerName]/ValidateCookie.html) on your server. Put a ValidationCookie.html file in the root of "80" site with anything in it (Hello is ok). Make sure D:\OAM\Logs folder exists.
If there are issues with OAM integration this line under <behavior name="SecurityTokenServiceBehavior"> would help with debugging:
<serviceDebug includeExceptionDetailInFaults="true"/>
Step 4
In the web.config of "80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80) - Don't forget to make a backup first.
Add the following lines under <providers> for <membership> node
<add name="CustomLDAPMembershipProvider"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389" useSSL="false" useDNAttribute="false" userNameAttribute="uid"
userContainer="dc=[company],dc=com" userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
Add the following lines under <providers> for <roleManager> node
<add name="CustomRoleProvider"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]" port="389" useSSL="false" groupContainer=" dc=[company],dc=com"
groupNameAttribute="cn" groupMemberAttribute="uniquemember"
userNameAttribute="uid" groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)" scope="Subtree" />
Step 5
In the Default.aspx of the " 80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80\_forms\Default.aspx) - Don't forget to make a backup first.
Add the following lines just above </asp:Content>
<asp:HiddenField EnableViewState="false" ID="loginTracker" runat="server" value="autoLogin" />
<%bool autoLogin = loginTracker.Value == "autoLogin";%>
<script runat="server">
void Page_Load()
{
signInControl.LoginError += new EventHandler(OnLoginError);
NameValueCollection headers = Request.ServerVariables;
NameValueCollection queryString = Request.QueryString;
string loginasanotheruser = queryString.Get("loginasanotheruser");
string username = Request.ServerVariables.Get("HTTP_SP_SSO_UID");
HttpCookie ObSSOCookie = Request.Cookies["ObSSOCookie"];
bool isOAMCredsPresent = username != null && username.Length > 0 && ObSSOCookie != null && ObSSOCookie.Value != null;
bool signInAsDifferentUser = loginasanotheruser != null && loginasanotheruser.Contains("true");
if (isOAMCredsPresent)
{
//Handling For UTF-8 Encoding in HeaderName
if (username.StartsWith("=?UTF-8?B?") && username.EndsWith("?="))
{
username = username.Substring("=?UTF-8?B?".Length, username.Length - 12);
byte[] decodedBytes = Convert.FromBase64String(username);
username = Encoding.UTF8.GetString(decodedBytes);
}
}
if (isOAMCredsPresent && loginTracker.Value == "autoLogin" && !signInAsDifferentUser)
{
bool status=Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser (new Uri(SPContext.Current.Site.Url),username,"ObSSOCookie:"+ObSSOCookie.Value);
if(status){
if (Context.Request.QueryString.Keys.Count > 1)
{
Response.Redirect(Context.Request.QueryString["Source"].ToString());
}
else
{
Response.Redirect(Context.Request.QueryString["ReturnUrl"].ToString());
}
}
else{
loginTracker.Value = "";
}
}
else
{
// DO NOTHING
}
}
void OnLoginError(object sender, EventArgs e)
{
loginTracker.Value = "";
}
</script>
Step 6
To disable Persistent cookie run the following powershell script:
Go App management in Central admin. Click on the main web app (8081) and click on User Policy, Add yourself (from the FBA account) with Full Control.
Step 8
Add the webgate to "80" site in IIS Manager.
Step 9
Test the site by going to http://[yourserver]. You should be able to login as yourself and you should have full access. Give other LDAP users access in the next step.
Step 10
Go to http://[yourserver]/_layouts/user.aspx. Click on "Site Visitors", click on new, search for All and add "All Authenticated Users" and click Ok.
Now all users who can authenticate against OAM have read access to the site.
Prerequisites:
- SharePoint 2010 is installed and configured. You are able to create web applications and site collections.
- OAM environment is installed and configured (Access Servers, Identity Servers etc).
- Access Gate is configured for the webgate for webgate installation
- A Policy Domain is configured for this resource (SharePoint 2010 URL).
- Following Return Attributes are setup for Authorization Success in the Authorization Expression:
HeaderVar IMPERSONATE uid (or samaccountname)Assumptions
HeaderVar SP_SSO_UID uid (or samaccountname)
COOKIE OAMAuthCookie uid (or samaccountname)
- Web Application main site will be created using port 8081 (Claims based Authentication, NTLM only)
- Main web application will be extended to Internet zone using port 80 and Forms based authentication only. Use CustomLDAPMembershipProvider and CustomRoleProvider for providers.
Step 1
In web.config of Central Admin (C:\inetpub\wwwroot\wss\VirtualDirectories\24195\web.config [on your server the folder name maybe different]) - Don't forget to make a backup first.
REPLACE
<roleManager><providers></providers></roleManager><membership><providers></providers></membership>WITH
<roleManager><providers><addname="CustomRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"server="[LDAP Server name]"port="389"useSSL="false"groupContainer=" dc=[Company],dc=com"groupNameAttribute="cn"groupMemberAttribute="uniquemember"userNameAttribute="uid"groupFilter="(ObjectClass=groupOfUniqueNames)"userFilter="(ObjectClass=inetorgperson)"scope="Subtree" /></providers></roleManager><membership><providers><addname="CustomLDAPMembershipProvider" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"server="[LDAP Server Name]"port="389"useSSL="false"useDNAttribute="false"userNameAttribute="uid"userContainer="dc=[company],dc=com"userFilter="(objectClass=person)"scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /></providers></membership>Step 2
Deploy OAMCustomMembershipProvider.dll to GAC
(C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\gacutil.exe - This could be different on your server)
gacutil -I D:\OAM\access\oblix\apps\webgate\OAMCustomMembershipProvider\OAMCustomMembershipProvider.dll
Alternatively drag and drop the OAMCustomMembershipProvider.dll to c:\windows\assembly
Step 3
In web.config of SecurityTokenServiceApplication Application (Application under SharePoint Web Services Site)
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config
Don't forget to make a backup first.
Add the below block right under </system.net>:
<system.web>
<membership>
<providers>
<add
name="CustomLDAPMembershipProvider" type="Oracle.CustomMembershipProvider, OAMCustomMembershipProvider,Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1, processorArchitecture=AMD64"
server="[LDAP Server Name]"
port="389"
useSSL="false"
useDNAttribute="false"
userNameAttribute="uid"
userContainer="dc=[company],dc=com"
userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" ValidationURL=http://[YourServerName]/ValidateCookie.html
DebugFile="D:\OAM\Logs\debug.log"
OAMAuthUser="OAMAuthCookie"/>
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add
name="CustomRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389"
useSSL="false"
groupContainer="cn=groups,dc=<Company>,dc=com"
groupNameAttribute="cn"
groupMemberAttribute="uniquemember"
userNameAttribute="uid"
groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
Make sure the validation URL works (http://[YourServerName]/ValidateCookie.html) on your server. Put a ValidationCookie.html file in the root of "80" site with anything in it (Hello is ok). Make sure D:\OAM\Logs folder exists.
If there are issues with OAM integration this line under <behavior name="SecurityTokenServiceBehavior"> would help with debugging:
<serviceDebug includeExceptionDetailInFaults="true"/>
Step 4
In the web.config of "80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80) - Don't forget to make a backup first.
Add the following lines under <providers> for <membership> node
<add name="CustomLDAPMembershipProvider"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389" useSSL="false" useDNAttribute="false" userNameAttribute="uid"
userContainer="dc=[company],dc=com" userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
Add the following lines under <providers> for <roleManager> node
<add name="CustomRoleProvider"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]" port="389" useSSL="false" groupContainer=" dc=[company],dc=com"
groupNameAttribute="cn" groupMemberAttribute="uniquemember"
userNameAttribute="uid" groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)" scope="Subtree" />
Step 5
In the Default.aspx of the " 80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80\_forms\Default.aspx) - Don't forget to make a backup first.
Add the following lines just above </asp:Content>
<asp:HiddenField EnableViewState="false" ID="loginTracker" runat="server" value="autoLogin" />
<%bool autoLogin = loginTracker.Value == "autoLogin";%>
<script runat="server">
void Page_Load()
{
signInControl.LoginError += new EventHandler(OnLoginError);
NameValueCollection headers = Request.ServerVariables;
NameValueCollection queryString = Request.QueryString;
string loginasanotheruser = queryString.Get("loginasanotheruser");
string username = Request.ServerVariables.Get("HTTP_SP_SSO_UID");
HttpCookie ObSSOCookie = Request.Cookies["ObSSOCookie"];
bool isOAMCredsPresent = username != null && username.Length > 0 && ObSSOCookie != null && ObSSOCookie.Value != null;
bool signInAsDifferentUser = loginasanotheruser != null && loginasanotheruser.Contains("true");
if (isOAMCredsPresent)
{
//Handling For UTF-8 Encoding in HeaderName
if (username.StartsWith("=?UTF-8?B?") && username.EndsWith("?="))
{
username = username.Substring("=?UTF-8?B?".Length, username.Length - 12);
byte[] decodedBytes = Convert.FromBase64String(username);
username = Encoding.UTF8.GetString(decodedBytes);
}
}
if (isOAMCredsPresent && loginTracker.Value == "autoLogin" && !signInAsDifferentUser)
{
bool status=Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser (new Uri(SPContext.Current.Site.Url),username,"ObSSOCookie:"+ObSSOCookie.Value);
if(status){
if (Context.Request.QueryString.Keys.Count > 1)
{
Response.Redirect(Context.Request.QueryString["Source"].ToString());
}
else
{
Response.Redirect(Context.Request.QueryString["ReturnUrl"].ToString());
}
}
else{
loginTracker.Value = "";
}
}
else
{
// DO NOTHING
}
}
void OnLoginError(object sender, EventArgs e)
{
loginTracker.Value = "";
}
</script>
Step 6
To disable Persistent cookie run the following powershell script:
Get-PSSnapin -RegisteredAdd-PSSnapin Microsoft.SharePoint.Powershell$sts = Get-SPSecurityTokenServiceConfig$sts.UseSessionCookies = $true$sts.Update()iisresetStep 7
Go App management in Central admin. Click on the main web app (8081) and click on User Policy, Add yourself (from the FBA account) with Full Control.
Step 8
Add the webgate to "80" site in IIS Manager.
Step 9
Test the site by going to http://[yourserver]. You should be able to login as yourself and you should have full access. Give other LDAP users access in the next step.
Step 10
Go to http://[yourserver]/_layouts/user.aspx. Click on "Site Visitors", click on new, search for All and add "All Authenticated Users" and click Ok.
Now all users who can authenticate against OAM have read access to the site.
