2012 R2 ADFS - Using Facebook, Live, Gmail. etc to access Extranet SharePoint

  • 736 Views
  • Last Post 07 August 2014
BrianB posted this 07 August 2014

Is it possible to set up a claims provider trust to Facebook, Windows live, AOL, and Gmail via 2012 R2 ADFS? If so, is there documentation available? I cannot find any.

  Background: We have an extranet SharePoint site that we want to allow users to access using the above accounts. I assume that I would have to create a claims provider trust with these services and then a relying party trust for the SharePoint site. I just can’t find the information to set up the claims provider trust.

  Brian Britt Senior Systems Analyst Vanderbilt University VUIT Identity Operations Team Office: (615) 322-4676 Lync: (615) 875-9858   Description: Description: MCSE(rgb)_406    Description: Description: MCSA(rgb)_440_454  Description: Description: Description: MCTS(rgb)_1078  

Order By: Standard | Newest | Votes
joe posted this 07 August 2014

Azure ACS has SSO with FB, Windows, Yahoo and Google. You can set up a trust with it and configure that trust to allow those social media login options. There is some complexity around then figuring out the whole trust model around this (is ACS FP with SharePoint as an RP to it and your ADFS + the social media logins as CPs or something else) but it is doable.


The model we have for this is pretty complex in that we have a custom STS that blends a local account store with ACS and then acts as a CP to our ADFS. This type of solution would require non-trivial customization and dev skills.


There are also other bridge technologies out there. It is also always interesting to look at what Brock and Dominick are doing with Identity Server (on github).
Joe K.

show

dddugan posted this 07 August 2014

Brian,

Suggest you spend some time at Steve Peschka’s blog at

http://blogs.technet.com/b/speschka/. There were a series of posts for SharePoint 2010 -> ADFS -> ACS -> {Google, Yahoo, Facebook} quite a while back. They are directly applicable to SharePoint 2013 as well.

We followed this recipe and have allowed Google/Yahoo accounts explicit permission to our on-prem SharePoint environment for a couple years now. Happy to discuss in detail if desired.

 

SharePoint on-prem

à ADFS 2.0 on-prem

à Azure ACS

à Google/Yahoo (for external users)

SharePoint on-prem

à ADFS 2.0 on-prem

à local AD (for internal users)

 

 

At the risk of hijacking the thread…. Lately I’ve been thinking about authenticating our internal users against AAD instead of our local AD. (We do password

sync to AAD for Office 365 stuff, not federated auth with ADFS. We like password sync because it eliminates an on-premise dependency.) That way users would have single sign on across 365 OWA, SharePoint Online, SharePoint on-prem, etc. I have it working in

our test environment but need to validate scenarios and think more about where we want to go, etc.

 

SharePoint on-prem

à ADFS 2.1 on-prem

à Azure AD STS (for internal users - testing only so far)

 

Alternatives that should accomplish the same thing:

SharePoint on-prem

à ADFS on-prem

à Azure ACS

à Google/Yahoo/Azure AD STS

SharePoint on-prem

à Azure ACS

à Google/Yahoo/Azure AD STS

 

Probably part of the long term solution will be to keep ADFS in the mix but make it run in Azure IaaS or similar to eliminate the on-prem dependency. Haven’t

crossed that bridge yet.

 

For completeness, note that you can’t go SharePoint on-prem

à Azure AD STS because SharePoint only talks SAML 1.1 and Azure only talks SAML 2.0. ADFS or ACS

act as an intermediary for you. But you probably wouldn’t want to do this anyway, because you really want your SharePoint zones to have a single authentication provider….

 

Cheers.

Darin

 

 

show

Close