tags:

views:

184

answers:

1
Q: 

Issues using external authentication with SharePoint 2010

We are using the “CAS” Single Sign-On system that was developed by Jasig. And trying to authenticate users against it for a SharePoint 2010 site. The main issue is that we are validating the user’s username and password on an external site that sends a “ticket” back to our SP2010 site via query string. Our app then revalidates this ticket against a CAS system to make sure the ticket is valid. If the ticket is valid, we go ahead and say the user is authenticated. In a .NET app, at this point all I need to do is call this:

FormsAuthentication.RedirectFromLoginPage(username, false);

Then, our “username” user is authenticated, and everything works just great. In SharePoint, however, this isn’t enough. I can only get SP 2010 to authenticate my user if before calling the previous line, I call:

SPClaimsUtility.AuthenticateFormsUser(Request.Url, username, password);

Obviously this is a huge problem, because at this point, I do not have their password. I only have a ticket from the CAS server. I need a way to “force” the authentication of a user in SharePoint.

A: 

Microsoft did some huge changes to custom auth with SP2010 Beta to RTM as we found out the hard way. Anyway, we got basically the same challenge, using a ticket as the means of authentication, and we got it working:

Your customlogin.aspx will typically contain something like

var ticket = SecurityProvider.GetTicketForCurrentUser(Session);
var credentials = SecurityProvider.ValidateTicket(ticket);
var username = credentials.Username;
var password = credentials.Password;
var securityToken = GetClaimsToken(username, password);
var fam = Context.ApplicationInstance.Modules["FederatedAuthentication"] as
                    SPFederationAuthenticationModule;
fam.SetPrincipalAndWriteSessionToken(securityToken);
SPUtility.Redirect(SPContext.Current.Site.Url, SPRedirectFlags.Trusted, Context);

The SecurityProvider containing ValidateTicket

   public static UserCredentials ValidateTicket(string ticket)
    {
        UserCredentials creds = UserWSClient.GetUserCredentials(ticket);
        return creds;
    }

Your biggest challenge might be writing a webservice that recieves the ticket and returns the credentials instead of a boolean stating wether the ticket was valid or not. Best of luck!

Audun  2010-09-13 07:46:15
The trouble is, another development team is writing the service to return the ticket. They will only be returning the ticket and have made it very clear that they will not send the password to us. We are only going to have the ticket and the username.
RepDetec  2010-09-21 15:55:58

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication