SharePoint High trust provider hosted app - user impersonation - Site minder

0
votes

We are using SiteMinder to authenticate user but all we get from site minder is user identity in header: ASP.NET Authentication with Siteminder

However since we are using high trust provider hosted SharePoint app we have access to tokenHelper.cs but impersonating a user requires System.Security.Principal.WindowsIdentity

My questions are:

How to get WindowsIdentity in this case?

OR

How to extend tokenHelper to impersonate user just with user identity(without windowsIdentity)?

2
asp.netiissharepointsitemindersharepoint-apps

2 Answers

1
votes

Check this blog by Steve Peschka. I have set up provider hosted app in SiteMinder protected SharePoint 2013 using that blog. To impersonate a user you need to create a ClaimsIdentity of the user and insert it to the HttpContext as current user. Sample code for that below:

var identity = new ClaimsIdentity(AuthenticationTypes.Federation, "http://schemas.xmlsoap.org/claims/useridentifier", String.Empty);
identity.AddClaim(new Claim("http://schemas.xmlsoap.org/claims/useridentifier", userId, "http://www.w3.org/2001/XMLSchema#string"));
identity.AddClaim(new Claim(ClaimTypes.Email, smtp, "http://www.w3.org/2001/XMLSchema#string"));
identity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sip", nameIdentifier, "http://www.w3.org/2001/XMLSchema#string"));
ClaimsPrincipal principal = new ClaimsPrincipal(identity);

Set this ClaimsPrincipalas the Httpcontext user. The claim values to be passed are smtp= email of user , nameidentifier=loginname of user , userId= Account name of user

0
votes

I will explain above scenario with my SP+Siteminder environment.

First of all you cant get the ClientContext of the site which is protected by site-minder.

You can only get clientContext of the site using internal url of site [http://hostname:port/sites/xyz].

To get the currenct user :-

  var spContext = SharePointContextProvider.Current.GetSharePointContext(HttpContext);

    // We store internal url of webapplication in web.config
    string strAdminSiteURL = ConfigurationManager.AppSettings["AdminSiteURL"].ToString();

// We have written one function to convert site-minder url to internal url
                string webUrl = Helper.Helper.GetInternalSiteUrl(strAdminSiteURL, spContext.SPHostUrl.ToString());

// Use internal url to create client-context
                    using (ClientContext clientContext = new ClientContext(webUrl))
                    {
                        clientContext.AuthenticationMode = ClientAuthenticationMode.FormsAuthentication;
                        clientContext.FormsAuthenticationLoginInfo = new FormsAuthenticationLoginInfo(uName, pswd);

                        Web web = clientContext.Web;
                        clientContext.Load(web);
                        clientContext.ExecuteQuery();

                        // Load SP user from login name found from httpcontext
                        string currentSPUser = string.Concat("<<FBAIdentity>>", User.Identity.Name);
                        var currentUser = clientContext.Web.EnsureUser(currentSPUser);
                        clientContext.Load(currentUser);
                        clientContext.ExecuteQuery();
                    }

above code will work fine if authentication mode is FBA and will help you in getting current user.