Thursday, December 22, 2011

SharePoint 2010 OAM Integration

This document outlines steps involved in Integrating SharePoint 2010 with OAM 10g.

Prerequisites:

  • SharePoint 2010 is installed and configured. You are able to create web applications and site collections.
  • OAM environment is installed and configured (Access Servers, Identity Servers etc).
  • Access Gate is configured for the webgate for webgate installation
  • A Policy Domain is configured for this resource (SharePoint 2010 URL).
  • Following Return Attributes are setup for Authorization Success in the Authorization Expression:

HeaderVar IMPERSONATE uid (or samaccountname)
HeaderVar SP_SSO_UID uid (or samaccountname)
COOKIE OAMAuthCookie uid (or samaccountname)
Assumptions

  • Web Application main site will be created using port 8081 (Claims based Authentication, NTLM only)
  • Main web application will be extended to Internet zone using port 80 and Forms based authentication only. Use CustomLDAPMembershipProvider and CustomRoleProvider for providers.


Step 1
In web.config of Central Admin (C:\inetpub\wwwroot\wss\VirtualDirectories\24195\web.config [on your server the folder name maybe different]) - Don't forget to make a backup first.

REPLACE
<roleManager><providers></providers></roleManager><membership><providers></providers></membership>
WITH
<roleManager><providers><addname="CustomRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"server="[LDAP Server name]"port="389"useSSL="false"groupContainer=" dc=[Company],dc=com"groupNameAttribute="cn"groupMemberAttribute="uniquemember"userNameAttribute="uid"groupFilter="(ObjectClass=groupOfUniqueNames)"userFilter="(ObjectClass=inetorgperson)"scope="Subtree" /></providers></roleManager><membership><providers><addname="CustomLDAPMembershipProvider" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"server="[LDAP Server Name]"port="389"useSSL="false"useDNAttribute="false"userNameAttribute="uid"userContainer="dc=[company],dc=com"userFilter="(objectClass=person)"scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /></providers></membership>
Step 2
Deploy OAMCustomMembershipProvider.dll to GAC
(C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\gacutil.exe - This could be different on your server)

gacutil -I D:\OAM\access\oblix\apps\webgate\OAMCustomMembershipProvider\OAMCustomMembershipProvider.dll

Alternatively drag and drop the OAMCustomMembershipProvider.dll to c:\windows\assembly

Step 3
In web.config of SecurityTokenServiceApplication Application (Application under SharePoint Web Services Site)
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config
Don't forget to make a backup first.

Add the below block right under </system.net>:
<system.web>
<membership>
<providers>
<add
name="CustomLDAPMembershipProvider" type="Oracle.CustomMembershipProvider, OAMCustomMembershipProvider,Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1, processorArchitecture=AMD64"
server="[LDAP Server Name]"
port="389"
useSSL="false"
useDNAttribute="false"
userNameAttribute="uid"
userContainer="dc=[company],dc=com"
userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" ValidationURL=http://[YourServerName]/ValidateCookie.html
DebugFile="D:\OAM\Logs\debug.log"
OAMAuthUser="OAMAuthCookie"/>
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add
name="CustomRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389"
useSSL="false"
groupContainer="cn=groups,dc=<Company>,dc=com"
groupNameAttribute="cn"
groupMemberAttribute="uniquemember"
userNameAttribute="uid"
groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)"
scope="Subtree" />
</providers>
</roleManager>
</system.web>

Make sure the validation URL works (http://[YourServerName]/ValidateCookie.html) on your server. Put a ValidationCookie.html file in the root of "80" site with anything in it (Hello is ok). Make sure D:\OAM\Logs folder exists.

If there are issues with OAM integration this line under <behavior name="SecurityTokenServiceBehavior"> would help with debugging:
<serviceDebug includeExceptionDetailInFaults="true"/>

Step 4
In the web.config of "80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80) - Don't forget to make a backup first.

Add the following lines under <providers> for <membership> node

<add name="CustomLDAPMembershipProvider"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]"
port="389" useSSL="false" useDNAttribute="false" userNameAttribute="uid"
userContainer="dc=[company],dc=com" userFilter="(objectClass=person)"
scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

Add the following lines under <providers> for <roleManager> node
<add name="CustomRoleProvider"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="[LDAP Server Name]" port="389" useSSL="false" groupContainer=" dc=[company],dc=com"
groupNameAttribute="cn" groupMemberAttribute="uniquemember"
userNameAttribute="uid" groupFilter="(ObjectClass=groupOfUniqueNames)"
userFilter="(ObjectClass=inetorgperson)" scope="Subtree" />

Step 5
In the Default.aspx of the " 80" site (D:\inetpub\wwwroot\wss\VirtualDirectories\80\_forms\Default.aspx) - Don't forget to make a backup first.

Add the following lines just above </asp:Content>
<asp:HiddenField EnableViewState="false" ID="loginTracker" runat="server" value="autoLogin" />
<%bool autoLogin = loginTracker.Value == "autoLogin";%>
<script runat="server">
void Page_Load()
{
signInControl.LoginError += new EventHandler(OnLoginError);
NameValueCollection headers = Request.ServerVariables;
NameValueCollection queryString = Request.QueryString;
string loginasanotheruser = queryString.Get("loginasanotheruser");
string username = Request.ServerVariables.Get("HTTP_SP_SSO_UID");
HttpCookie ObSSOCookie = Request.Cookies["ObSSOCookie"];
bool isOAMCredsPresent = username != null && username.Length > 0 && ObSSOCookie != null && ObSSOCookie.Value != null;
bool signInAsDifferentUser = loginasanotheruser != null && loginasanotheruser.Contains("true");


if (isOAMCredsPresent)
{
//Handling For UTF-8 Encoding in HeaderName
if (username.StartsWith("=?UTF-8?B?") && username.EndsWith("?="))
{
username = username.Substring("=?UTF-8?B?".Length, username.Length - 12);
byte[] decodedBytes = Convert.FromBase64String(username);
username = Encoding.UTF8.GetString(decodedBytes);
}
}
if (isOAMCredsPresent && loginTracker.Value == "autoLogin" && !signInAsDifferentUser)
{
bool status=Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser (new Uri(SPContext.Current.Site.Url),username,"ObSSOCookie:"+ObSSOCookie.Value);
if(status){
if (Context.Request.QueryString.Keys.Count > 1)
{
Response.Redirect(Context.Request.QueryString["Source"].ToString());
}
else
{
Response.Redirect(Context.Request.QueryString["ReturnUrl"].ToString());
}
}
else{
loginTracker.Value = "";
}
}
else
{
// DO NOTHING
}
}
void OnLoginError(object sender, EventArgs e)
{
loginTracker.Value = "";
}
</script>

Step 6
To disable Persistent cookie run the following powershell script:
Get-PSSnapin -RegisteredAdd-PSSnapin Microsoft.SharePoint.Powershell$sts = Get-SPSecurityTokenServiceConfig$sts.UseSessionCookies = $true$sts.Update()iisreset
Step 7
Go App management in Central admin. Click on the main web app (8081) and click on User Policy, Add yourself (from the FBA account) with Full Control.

Step 8
Add the webgate to "80" site in IIS Manager.

Step 9
Test the site by going to http://[yourserver]. You should be able to login as yourself and you should have full access. Give other LDAP users access in the next step.

Step 10
Go to http://[yourserver]/_layouts/user.aspx. Click on "Site Visitors", click on new, search for All and add "All Authenticated Users" and click Ok.

Now all users who can authenticate against OAM have read access to the site.

5 comments:

Shruti said...

Hi,

This post is very informative. Thanks.
I'm integrating oam 10g with sharepoint 2010 and using OID as the LDAP. Please let me know if I should be following the procedure of integration with LDAPmembershipprovider. Also i have a few more questions on integration that I would like to ask you.

It would be great if you could share your email id and i can write to you.

Thanks.

Niceguy said...

may I know what kind of customization has been done on the file: OAMCustomMembershipProvider.dll??

Chandra Shirashyad said...

@Shruti,

Yes, please follow the the instructions for setting up claims based authentication with FBA. Make sure FBA works fine before moving on to OAM integration.

You may contact me at: chandra shirashyad com.

@Niceguy,
OAMCustomMembershipProvider.dll is provided by Oracle. It takes care of setting up necessary cookies, impersonation etc. drastically simplifying OAM integration with SharePoint 2010.

Bibu Mohapatra said...

Hi Chandra,

This is very good info. I am able to configure SSO for one of the SharePoint webapps. Do you know how to enable SSO for multiple webapps on the same SharePoint farm? The validationURL under SecurityTokenServiceApplication can take only one URL. Also SecurityTokenServiceApplication is per SharePoint farm, not per webapps.

Thanks

Mahesh said...

Chandra, this is very useful article. I have followed your instructions, everything looks good but group members are failed to authorize at Sharepoint site. If I add users manually to SP group no issues. Please let me know if you have any idea.
Thanks,
Mahesh.