Windows Live authentication for MOSS 2007

October 8th, 2007 | Posted by Marijn in sharepoint

Keith Bunge tested his Live ID solution for SharePoint, and marked it as final.

The login procedure is as follows:

Click On The Sign In Link
The Membership and Role providers are linked in to the SharePoint Forms Based Authentication (FBA) architecture. This means that the Sign in and Sign Out mechanisms are integrated right in to SharePoint automagically.

Get Redirected To Live’s Login Site
When you click the Sign In link you will be redirected to the Windows Live ID login site. This site validates the users credentials, either by requiring them to login with their Live ID credentials or by validating that they have an active Windows Live session.

Get Redirected Back to SharePoint
Once the Windows Live session is validated, the Live Login system will redirect you back to SharePoint. The Windows Live system requires an Application Administrator to register a single URL per application ID to return users to once they have been validated. The Windows Live request returns a signed authentication token that the SharePoint server verifies, and then uses to identify the user by their unique user token. This token is unique to each Application that is registered to the Windows Live system. What this means is if I register an application for blog.solanite.com and one for moreblogs.solanite.com I will get a different ID’s for the same Windows Live ID on each system. These unique user tokens only provide the SharePoint server with validation that Windows Live has authenticated this user. It does not provide access to the Windows Live associated email, or really any information about the user.

User Token Is Processed
When the Windows Live system responds to SharePoint, the user token is checked against the profile store. In the case of what I have written, I decided to test Microsoft’s statement that with the performance tweaking abilities added to SharePoint, you can technically use a SharePoint list instead of using a SQL table for simple applications. I just did a few web searches, and can’t find any published versions of this statement, but it is something I and others I know have heard several times. I have set the user token and email columns of the profile list as indexed to help with searching against them, and I am hopeful that I’ll see good results as the number of profiles increases.
If this user token is new, the user is prompted to enter an email identifier. This is done to help with adding users to SharePoint sites. Remembering a long user token is difficult to do, however typing in an email address is much easier. The profile store itself is not accessible, unless you have specific access to the list so the data is protected.

Returned To The Sign In Page
Once either the new user has submitted an email address or the pre-existing user check is completed, you are redirected back in to the SharePoint page you initially signed in from.

More info here
Download here

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

One Response



Leave a Reply

%d bloggers like this: