Skip Ribbon Commands
Skip to main content

Using Google to Authenticate with SharePoint 2013

Collaborate with External Partners using Google Accounts

Brian Jones

05/06/2015


​​Having an on-premise SharePoint extranet is a great first step towards external collaboration, but giving out Windows credentials isn't a long term solution to managing external accounts. Active Directory federation isn't within the capabilities of many small businesses. One solution is to allow partners to login with their own cloud credentials, in this instance managed by Google, enabled by Azure.​

Step 1: Create Google Account

  • ​Go to the Google developers console  ​
  • Sign in if you have an account, otherwise create an account and log in
  • Click on Create Project
  • Enter a name for your project e.g. SharePoint Authentication and click Create
The project will now be created it will take a few seconds and then you will be taken into the app.
  • Click on APIs & auth
  • Click on Consent Screen
  • Enter a name for your project and click Save
  • Click on Credentials
  • Click on Create new Client ID
  • Select Web application and click on Create Client ID
  • Copy the Client ID and Client secret from the screen that is displayed
Step 2: Create Windows Azure Access Control Namespace
  • Select App Services, Active Directory and finally Access Control
  • Enter a name for your access control namespace, select the region you are in and click Create
  • Click on Active Directory from the navigation menu on the left
  • Click on Access Control Namespaces
  • Select the namespace that you have just created and click on Manage
Step 3: Configure Access Control Service
  • Click on Identity providers
  • Click on Add
  • Select Google and click on Next
  • Enter the Client ID and Client secret that you copied from your Google app in step 1 and click Save
  • Click Relying party applications
  • Click on Add
  • Enter a name for the replying party application in the name field
  • In Realm enter the URL of your SharePoint web application
  • In return URL enter the URL of your SharePoint web application followed by /_trust
  • In the token format select SAML 1.1
  • Change the token lifetime (secs) to 700 and click Save
  • Click on Rule Groups
  • Click on Add
  • Enter a name for the rule group and click Save
  • Click on Generate
  • Select     Google     and click on Generate
  • Click Save
Step 4: Certificates and Keys
  • Click on Certificates and Keys
  • Click on Save
  • Select your relying party application from the drop down list (You created it in step 3)
  • On the page copy the MakeCert command
  • On your client machine you will need to generate a certificate to be used for the trust. Launch a command prompt as administrator, navigate to the directory where makecert is installed and run the copied command.
  • If you don't have makecert you can get it from here: makecert
  • The certificate will be deployed to your certificate store, you will need to export a .CER and .PFX.
  • Click on start > run, enter MMC and click OK
  • In the console click on File > Add/Remove Snap-in
  • Select certificates and click Add
  • Select My user account and click finish
  • Click Ok
  • Expand Certificates – Current User
  • Expand Personal
  • Select Certificates
  • In the certificates list you should see your new certificate
  • Right click on the certificate, select All tasks > Export
  • Click next
  • Select No, do not export the private key and click next
  • Click next leaving the defaults
  • Click browse, enter a suitable name for the certificate e.g. Auth and save the file somewhere suitable.
  • Click Save
  • Click Next
  • Click Finish
  • Click OK on the success message
  • Right click on the certificate, select All tasks > Export
  • Click next
  • Select Yes, export the private key and click next
  • Click next leaving the defaults
  • Select Password and enter a password (remember this you will need it) and click next.
  • Click browse, enter a suitable name for the certificate e.g. Auth and save the file somewhere suitable.
  • Click Save
  • Click Next
  • Click Finish
  • Click OK on the success message
  • Return to your access control service browser window.
  • Click on Browse
  • Browse to the .pfx file you created in the previous step and click open
  • Enter the password and click Save
Step 5: SharePoint Configuration
  • Logon to your SharePoint server
  • Copy the .cer file you created in a previous step to the server
  • Open the SharePoint Management Shell as administrator
  • Run the following PowerShell commands

    $realm="http://my.sharepoint.com"

  • Where the url is the url of your SharePoint web application

    $signinurl="https://mysharepointlogin.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https://my.sharepoint.com/"

     
  • Replacing the highlighted sections with your access control service URL and your web application URL

    $certlocation="C:\Certificates\auth.cer"

  • Replacing the path with the location of your .cer file

    $rootcertificate=Get-PfxCertificate$certlocation

    New-SPTrustedRootAuthority"MyGoogleSharePointLogin"-Certificate$rootcertificate

    $certificate=New-ObjectSystem.Security.Cryptography.X509Certificates.X509Certificate2($certlocation)

    $ClaimTypingMapping=New-SPClaimTypeMapping-IncomingClaimType"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"-IncomingClaimTypeDisplayName"Email"-SameAsIncoming

    New-SPTrustedIdentityTokenIssuer-Name"Google Authentication"-Description"Google Authentication"-Realm$realm-ImportTrustCertificate$certificate-ClaimsMappings$ClaimTypingMapping-SignInUrl$signinurl-IdentifierClaim"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

 
  • Once you have run the PowerShell commands you will need to add the identity provider to your web application.
  • Open SharePoint Central Administration
  • Click on Application Management
  • Click on Manage Web Applications
  • Select the Web Application that will be using Google for authentication
  • Click on authenticationproviders in the toolbar
  • Select the relevant zone, this will be default if you only have one zone.​​
  • Scroll down the window, select Trusted Identity provider and select Google Authentication

Step 6: Testing

  • Open a web browser and navigate to your root site collection on the web application. You should get a drop down list showing the logon options.
  • Select Google Authentication and you should get the Google authentication page.
  • ​​​Enter your google credentials and click sign in.
  • You should be returned to your SharePoint page. You will probably be given an access denied message because the account has not been given any rights to your site. Just grant rights as you would normally.
  • When granting rights to Google users you will need to use the full email address. People picker will not resolve the name unless the user is already added but you will still be able to add new users.

Top Blog Posts From Fuse

 

 

9 Reasons Why Cloud Computing is a No-brainerhttps://www.fusecollaboration.com/blog/9-reasons-why-cloud-computing-is-a-no-brainer9 Reasons Why Cloud Computing is a No-brainer
Simple Incoming Email with On Premises SharePoint and Exchangehttps://www.fusecollaboration.com/blog/simple-incoming-email-with-on-premises-sharepoint-and-exchangeSimple Incoming Email with On Premises SharePoint and Exchange
Recovering Workflow History after 60 dayshttps://www.fusecollaboration.com/blog/recovering-workflow-history-after-60-daysRecovering Workflow History after 60 days
Dynamic Page Layouts in SharePoint 2013 - Part 1https://www.fusecollaboration.com/blog/dynamic-page-layouts-in-sharepoint-2013-part-1Dynamic Page Layouts in SharePoint 2013 - Part 1
Using Google to Authenticate with SharePoint 2013https://www.fusecollaboration.com/blog/using-google-to-authenticate-with-sharepoint-2013Using Google to Authenticate with SharePoint 2013

Recommended Pages

 

 

About Fuse Collaborationhttps://www.fusecollaboration.com/fuse-home/aboutAbout Fuse Collaboration
Skype for Businesshttps://www.fusecollaboration.com/technologies/skype-for-businessSkype for Business
Hosted Skype for Businesshttps://www.fusecollaboration.com/technologies/skype-for-business/hosted-skype-for-businessHosted Skype for Business
SharePoint Consulting, Design and Developmenthttps://www.fusecollaboration.com/technologies/sharepointSharePoint Consulting, Design and Development
Microsoft Azure Solutionshttps://www.fusecollaboration.com/technologies/azureMicrosoft Azure Solutions

 About us

Fuse Collaboration Services is a Cloud Solution Provider and Microsoft Gold Partner specialising in delivering SharePoint, Skype for Business, and Azure cloud-based solutions. Based in Northampton, UK.

Microsoft Gold Partner Logo showing 5 competencies

Read more

 Latest Tweets

 Latest Blog

 

 

New GDPR Analysis Pricing699<p class="lead">​​​Fuse can ease the challenge you are facing with the GDPR by offering a solution that will analyse your data for you quickly and cost effectively.</p><div></div><p>​My <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=2b6bb279-9fd6-44bf-b4e7-23100b1f156a">recent blogs​</a> have already mentioned the effect that GDPR is having on UK businesses. The deadline is looming but <strong>don’t panic</strong> if you feel you are running out of time as we have <strong>important news</strong>. </p><p>Our customers are reporting that they are having many calls in response to the GDPR, offering you solutions to help but what you really need is a quick, fixed price solution that you know will do what it claims to. One of our partners has responded to customer and partner feedback by changing their pricing model for their data evaluation kit to be just that. </p><p>This is in response to listening to customers who have allocated budgets for the GDPR project, and it’s amazing to see that most budgets are being spent on the staff time spent on the project and not on solutions that would be more cost effective. Discovering PII (Personal Identifiable Information) is viewed as a <strong>manual process </strong>which costs organisations time and money. </p><p>Discovering personal Identifiable Information and Sensitive Information within documents is one of the first steps you need to complete to become compliant. </p><p>All you need is the answer to one question&#58;</p><p> <strong>Do you know the amount of data your business holds as electronic documents?</strong> Hopefully you do! If not, don’t worry we can help you find out with a <strong>free evaluation </strong>of your data.</p><div>If so, look at the table below for the cost of the solution we can introduce you to. The price includes an annual subscription with unlimited document scans for the 12-month license term, regardless of the size of documents.</div><div></div><ul><li>Up to 1TB = £2,999</li><li>Up to 5TB = £7,999</li><li>Up to 20TB = £14,999</li><li>20TB plus = price on application </li></ul><div>The pricing is based on the size of data in the system where the documents are stored. This pricing includes unlimited users and full product support. This solution can be used across multiple systems which include <strong> <em>Office 365</em></strong>, <strong> <em>Dropbox</em></strong>, <strong> <em>OneDrive</em></strong>, <strong> <em>Google Drive</em></strong> and <strong> <em>SharePoint</em></strong>. The solution then reads Office documents, PDF’s, OCR photocopies etc. It will also reduce the size of your files, removing duplicates and archiving&#160;<span style="text-align&#58;left;color&#58;#302e2f;text-transform&#58;none;text-indent&#58;0px;letter-spacing&#58;normal;font-family&#58;&quot;segoe ui&quot;,tahoma,helvetica,arial,verdana,sans-serif;font-size&#58;14px;font-style&#58;normal;font-variant&#58;normal;font-weight&#58;400;text-decoration&#58;none;word-spacing&#58;0px;display&#58;inline;white-space&#58;normal;orphans&#58;2;float&#58;none;background-color&#58;transparent;">files</span> non-accessed over a period. This solution is also valuable when <strong>migrating </strong>documents from SharePoint and file shares to O365.</div><div>&#160;</div><div class="thumbnail"> <img class="img-responsive" alt="ScanR Process" src="/ourblog/Blog%20Site%20Images/ScanRProcess.png" />&#160;</div><div></div><div class="well well-lg"><h2>Features of the ScanR Solution&#58;</h2><ul class="lead"><li>​Automate the process for discovering PII and Sensitive Information.</li><li>Enable you to quickly respond to “Subject Access Requests “and the “Right to be Forgotten “regulation.</li><li>Comply with over 10 of the required articles within GDPR.</li><li>Reduce data storage requirements, remove duplicates and archive non-accessed files. </li><li>Gain an understanding of who has access to it.</li><li>Gain an understanding of how long it’s being retained.</li><li>Retain personal data for a period of time directly related to the original intended purpose.</li><li>Find risky files and take action.</li><li>Manage a Subject Access Request&#58;</li><ul><li>Request a port of the data</li><li>Request a correction to the data</li><li>Request deletion of the data​</li></ul></ul></div><p></p><div class="thumbnail"> <img class="img-responsive" alt="ScanR overview" src="/ourblog/Blog%20Site%20Images/dashboard-scanr1.png" /> <div class="caption"><h3>The Overview Dashboard</h3><p>Rich dashboards in ScanR allow you to understand where your sensitive data resides, and prioritise where to take action.​</p></div></div><p>To read my previous blogs surrounding GDPR please click on the links below&#58; </p><p><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=2b6bb279-9fd6-44bf-b4e7-23100b1f156a"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/images/icgen.gif" alt="" />How to use SaaS solutions to identify sensitive data</a></p><p>​<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=38ff9d3b-d9e1-4a22-b57e-04260d2d12b3"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/images/icgen.gif" alt="" />Clear out the ROT!​</a></p><div class="well well-lg"> <p class="lead">To <strong>request a demo and free evaluation</strong> on your documents call Fuse today on 01604 797979 or <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=218eb0be-10f6-490a-82a7-a7fd47c8de90">contact us</a>. We are available to answer any queries you have and our aim is to work alongside your needs and priorities ensuring optimum efficiency of your IT infrastructure.</p></div>l.ozier@fusecollaboration.com | Louise Ozier | 693A30232E777C6675736563735C6C2E6F7A696572 i:0#.w|fusecs\l.ozier22/11/2017 00:00:002017-11-22T00:00:00ZDiscover Personal Identifiable Information & Sensitive information within Documents24/11/2017 00:16:0696htmlFalseaspx

 Contact us

Our address
12-14 Brookfield, Duncan Close
Moulton Park, Northampton
NN3 6WL
P: +44(0)1604 797979
Contact Us