Creating custom IP-STS for sharepoint foundation 2010 without ADFS

Question

I plan to create very simple custom IP-STS for SharePoint foundation 2010 without ADFS server so anyone can integrate Windows Live ID to SharePoint foundation 2010 simply without ADFS, I can't use ADFS server because it could not install on Windows Web Server 2008 (Web Edition), also I found many article use LDAP provider but it does not exists in SharePoint Foundation too (it requires Sharepoint Server Edition).

After too much searching I just found the following article and find all technique except one problem.

1) Creating Custom Claim Provider: blogs.technet.com/b/speschka/archive/2010/03/13/writing-a-custom-claims-provider-for-sharepoint-2010-part-1.aspx

2) Creating Custom STS Provider: http://blogs.msdn.com/b/chunliu/archive/2010/04/02/how-to-make-use-of-a-custom-ip-sts-with-sharepoint-2010-part-1.aspx

Only one step remains: I got following error after enter username in STS site and redirect to localhost/_trust/default.aspx , ( I leave EncryptingCertificateName empty).

Operation is not valid due to the current state of the object

I expect to get access denied error instead of that error.

1.Is it possible anyway? 2.Can anyone help me where can I find working article to create custom IP-STS without ADFS server Any idea will help me

Thanks

Answer 1

There is a better walkthrough that is now supplied by Microsoft at the following location: http://msdn.microsoft.com/en-us/library/ff955607.aspx

This link supplies you with source code for a custom ASP.NET passive STS identity provider, a sample ASP.NET application that uses the identity provider (for testing purposes), and a WinForms app that will register the identity provider with Sharepoint so that your Sharepoint site can use the provider as well.

NOTE: The only hitch I ran into was that I had to change the thumbprint for the signing certificate. This is a known issue and is mentioned in the documentation provided at this link. However, when you copy and paste the thumbprint from the certificate store, beware that the clipboard may add special characters to the beginning and/or end of the thumbprint string. So make sure you remove any special characters before adding the thumbprint to your .NET solution. (e.g. just go to the beginning of your string and hit the delete key until it starts to actually delete visible characters.)

Answer 2

You need to check that the required claim (i.e. the default claim) you are using is actually supplied with the login. If not then it will fail. For example if you were using ADFS, and set the default claim to be email address, you would need to ensure that the user actually had an email address set within their account on the authenticating domain.

I would check the claims that are being used first.

Answer 3

You can check Thinktecture's Starter STS here.