Share via


Programmatically Adding A Trusted Identity Token Issuer to a Web Application Zone in SharePoint 2010 and 2013

Seems like I haven't had a chance to write a good SharePoint / SAML claims kind of article in a while. I was happily plugging away on some code this weekend for a scenario I haven't done before so I thought I would go ahead and post it here for the search engines. The whole topic in general has kind of reached a point where I'm not really sure if anyone even needs these kinds of postings anymore, but ultimately I decided it's worth jotting down because there will probably be someone, somewhere that needs to do this in a hurry so perhaps this post will help.

So the topic today is changing the configuration of a web application zone so that it uses an SPTrustedIdentityTokenIssuer - i.e. I want to configure my web app to use SAML claims.

The first challenge I typically face with folks is getting them to restate the problem - more precisely, in this case we're not configuring a web app to use SAML, we're configuring a zone in the web app to use SAML. This is a key to remember because you need to know that as you start plugging through the object model to find and change these settings. So let's start working through some code.

The first step of course is going to be to get a reference to the web application you want to work with. You can use the ContentService to do that, or I frequently just use a site. Here's an example:

using (SPSite s = new SPSite(https://foo))

{

SPWebApplication wa = s.WebApplication;

...

 }

Okay, so now that I have my web application, I need to get the IIS settings for the zone. In this case I'm just going to hard-code it to look in the default zone:

Dictionary<SPUrlZone, SPIisSettings> allSettings = wa.IisSettings;

SPUrlZone z = SPUrlZone.Default;

SPIisSettings settings = allSettings[z];

As you can probably tell from the code, you can get the settings for any zone, but we're grabbing them for the default zone. Once I have that, I can look at what authentication providers the zone is using with this:

List<SPAuthenticationProvider> providers = settings.ClaimsAuthenticationProviders.ToList<SPAuthenticationProvider>();

So for example if you wanted to see if your provider was being used before trying to add it, this is where you would look. In our case we'll just assume it's not being used by this zone yet, so next we need to get the SPTrustedClaimProvider that represents our SPTrustedIdentityTokenIssuer. We'll use this code to do that:

//get the local claim provider manager, which tracks all providers and get all trusted claim providers into a list

SPClaimProviderManager cpm = SPClaimProviderManager.Local;

List<SPTrustedClaimProvider> claimProviders = cpm.TrustedClaimProviders.ToList<SPTrustedClaimProvider>();

//look to see if ours exists

const string ISSUER_NAME = "MyTokenIssuer";

var cp = from SPTrustedClaimProvider pd in claimProviders

where pd.DisplayName == ISSUERI_NAME

select pd;

SPTrustedClaimProvider ceProvider = null;

 

try

 {

ceProvider = cp.First<SPTrustedClaimProvider>();

}

catch

{

//it will throw an exception if it doesn't exist

}

Okay, so at this point our provider should be in the ceProvider variable. Once we have that, we have a couple of different options to configure the zone to use it. If you just want to add it to the collection of authentication providers the zone is using, use the AddClaimsAuthenticationProvider method of the IisSettings instance. If you want to replace the list of authentication providers so it only uses your SAML provider (which also means it can't be crawled, since that requires NTLM), use the ReplaceClaimsAuthenticationProviders method. Here's some code that demonstrates both methods, you would obviously only use one of them:

 

if (ceProvider != null)

{

SPAuthenticationProvider newProvider = new SPTrustedAuthenticationProvider(ceProvider.Name);

 

//this works to add it to the collection of claims providers

settings.AddClaimsAuthenticationProvider(newProvider);

 

//this can be used to replace it so you only have the trusted provider

providers = new List<SPAuthenticationProvider>();

providers.Add(newProvider);

settings.ReplaceClaimsAuthenticationProviders(providers);

 

//update the web application to save the authentication provider settings

wa.Update();                 

 }

So there you have it, hopefully if you ever need to do this now you can grab this code and run with it.

Comments

  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    March 08, 2014
    what an exciting week at SharePoint Conference in Las Vegas. Let me share some links:

    SPC14 Keynote
  • Anonymous
    September 18, 2014
    The comment has been removed
  • Anonymous
    January 08, 2015
    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.
    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.
    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.
    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com

    Modern Thai restaurant combines outstanding traditional cuisine and a subtle modern decor with a warm welcoming ambience. Thai Restaurants in Brisbane :http://www.watersidethainoodles.com.au , traveller reviews of Brisbane Thai restaurants and search by price, location, and more..