Using SharePoint 2010 Claims: Windows Live Integration

In this two part series I will demonstrate how you can use the new SharePoint 2010 Claims authentication to integrate with third-party authentication sources really simple. In this part I will show how to integrate with Windows Live, in the next part I will show how to integrate OpenID.


  • SharePoint 2010 server, with a reachable website, running both HTTP and HTTPs
  • Your very own Windows Live account (to register your application with Microsoft)
  • My LIVE-STS-SETUP.ZIP file (Attached to the post)

Step 1: Register at Microsoft Service Manager
You will need to register your application at Microsoft. You will do this two times, first in the test-system INT, and then in the production system PROD. Microsoft will validate your solution before they will allow you access to the PROD environment. Basically this means you will have to do the setup twice, once for INT and after that for PROD. You need to go to Microsoft Service Manager. When you enter this site you will be redirected directly to the INT environment (a small INT label will indicate this in the top left corner of the site).

Click the “Register Your Site” link in the left menu on the site. The name field should be filled out with a free text, the DNS name must be your public domain name without any http or similar (and you must give the same value as you will use when running the setup script at your machine). Then click Submit, and you will have to confirm. Just click to confirm and your application will be created in the INT system. After this you will have to go and “Manage Your Site“, scroll down the page and click to edit properties. You will then have to check the advanced box to be able to change some properties. The first property you will need to set is Default Return URL which should be set to https://<>/_trust/default.aspx, click to move to next page and find the Override Authentication Policy and change that value to MBI_FED_SSL

Step 2: Prepare web servers
The next step is to install the certificates that are needed to identify the remote server and also to setup the providers. For your convenience I have attached both the PROD and INT certificate and a nice PS1 file for you to do all the grunt work. Start a SharePoint 2010 Management Shell and then goto the directory where you downloaded the zip file. Go to explorer, unzip the file and edit the four parameters at the to of the script (Your domain, Unique id from windows live and the paths to the certs).  Then run the script by simply typing .\setup-live.ps1.

Step 3: Configure the your application
Next you can start using the provider (only INT can be used if you have not yet been bumped into the PROD system). Goto the Web Applications Management in Central Administration. Highlight the application you wish to Live enable. Click the “Authentication Providers” button and then select whichever zone you want to configure. In the providers section you will now notice a LiveID and a LiveID-INT provider. Select your providers and then we are done! If you have not yet enabled Claims authentication for your Web Application this needs to be done before you can use the authentication from Windows Live ID. To do that goto powershell and run the following commands

$sajt = Get-SPWebApplication
$sajt.UseClaimsAuthentication = 1

Step 4: Test your application
Goto your url, depending if you have more than one authentication provider you will be promted to select which one to login. Note that when you are using the INT provider you will NOT be able to login using your normal account but instead you need to create a live account in the INT system (do that via the login page). Also note that the Live ID STS will NOT give you the email, but just the unique ID and you will need to construct a solution to provide a registration form for your users where they can enter email and whatever more you need.