How To Get All Claims Providers Associated with a Web Application in SharePoint 2010
I’ve been asked this question a couple times before, which is I want to be able to programmatically find out what claims providers are being used with my web application. This question is usually asked to mean what SPTrustedIdentityTokenIssuers are being used, but the method I’ll demonstrate will reveal those as well as custom claims providers that are not enabled by default (because if it’s enabled by default then it’s used everywhere).
The first thing to understand is that if you are wondering what’s enabled for a web application, you are thinking about it wrong (and probably why folks have had a hard time finding this info). Your claims providers are going to be applied at the zone level, not the web application level. So given a SharePoint Url, how do we figure out this information?
To start with, get a new SPSite based on the Url in which you are interested:
using (SPSite theSite = new SPSite("https://someUrl"))
{
…
}
Once you have the SPSite object you can get the web application and zone:
//get the web app
SPWebApplication wa = theSite.WebApplication;
//get the zone for the site
SPUrlZone theZone = theSite.Zone;
With that information, you can get the SPIisSettings for the zone, which is where most of the good stuff resides:
//get the settings associated with the zone
SPIisSettings theSettings = wa.GetIisSettingsWithFallback(theZone);
Once I have the zone information, I can get both the authentication providers and claims providers for that zone. They are found in these two properties: ClaimsAuthenticationProviders and ClaimsProviders. Now keep in mind that each ClaimsAuthenticationProvider has only a very small subset of the information that you get when you do something like Get-SPTrustedIdentityTokenIssuers in PowerShell. If you really want to get the core underlying object, then you need to take your ClaimsAuthenticationProvider and get a SPTrustedLoginProvider from it. Fortunately that is not too hard either. Here’s an example where I’m basically querying for a list of SPTrustedLoginProviders using LINQ; note that in this example I’m only interested in the SAML claims providers (A.K.A. SPTrustedIdentityTokenIssuer):
//get the token service manager so we can retrieve the appropriate
//trusted login provider
SPSecurityTokenServiceManager sptMgr = SPSecurityTokenServiceManager.Local;
//get the list of authentication providers associated with the zone
foreach (SPAuthenticationProvider prov in theSettings.ClaimsAuthenticationProviders)
{
//make sure the provider we're looking at is a SAML claims provider
if (prov.GetType() == typeof(Microsoft.SharePoint.Administration.SPTrustedAuthenticationProvider))
{
//get the SPTrustedLoginProvider using the DisplayName
var lp =
from SPTrustedLoginProvider spt in
sptMgr.TrustedLoginProviders
where spt.DisplayName == prov.DisplayName
select spt;
//there should only be one match, so retrieve that
if ((lp != null) && (lp.Count() > 0))
{
//get the login provider
SPTrustedLoginProvider loginProv = lp.First();
}
}
}
For completeness, I’ll paste in the entire code block below here. In this particular scenario I was looking for all the SPTrustedIdentityTokenIssuers associated with a zone and for each one I was creating a string with the name of the provider and the Url to which you would get redirected to authenticate when using that provider.
using (SPSite theSite = new SPSite("https://someUrl"))
{
//get the web app
SPWebApplication wa = theSite.WebApplication;
//get the zone for the site
SPUrlZone theZone = theSite.Zone;
//get the settings associated with the zone
SPIisSettings theSettings = wa.GetIisSettingsWithFallback(theZone);
//if this isn't a claims auth site then bail out
if (!theSettings.UseTrustedClaimsAuthenticationProvider)
{
MessageBox.Show("This is not a SAML claims auth site");
return;
}
//clear the list of providers out
ProviderLst.Items.Clear();
//get the token service manager so we can retrieve the appropriate
//trusted login provider
SPSecurityTokenServiceManager sptMgr = SPSecurityTokenServiceManager.Local;
//get the list of authentication providers associated with the zone
foreach (SPAuthenticationProvider prov in
theSettings.ClaimsAuthenticationProviders)
{
//make sure the provider we're looking at is a SAML claims provider
if (prov.GetType() ==
typeof(Microsoft.SharePoint.Administration.SPTrustedAuthenticationProvider))
{
//get the SPTrustedLoginProvider using the DisplayName
var lp =
from SPTrustedLoginProvider spt in
sptMgr.TrustedLoginProviders
where spt.DisplayName == prov.DisplayName
select spt;
//there should only be one match, so retrieve that
if ((lp != null) && (lp.Count() > 0))
{
//get the login provider
SPTrustedLoginProvider loginProv = lp.First();
//get the login info
string provInfo = prov.DisplayName + " - " +
loginProv.ProviderUri.ToString();
//add the login info to the list
ProviderLst.Items.Add(provInfo);
}
}
}
}
How To Get All Claims Providers Associated with a Web Application in SharePoint 2010.docx
Comments
Anonymous
January 01, 2003
FYI: A slicker way to do this: if (prov.GetType() == typeof(Microsoft.SharePoint.Administration.SPTrustedAuthenticationProvider)) is if (prov is Microsoft.SharePoint.Administration.SPTrustedAuthenticationProvider) Thanks again for another great article!Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
No way I'm aware of to make a custom provider the default provider for a zone only; you can only configure that through the SPTrustedIdentityTokenIssuer itself. SteveAnonymous
March 29, 2011
This is a great article. Is it possible, I can make the custom claims provider DEFAULT for a ZONE?Anonymous
September 18, 2014
The comment has been removed