Monday, July 20, 2009

SSO and IFrame, more details please

I have faced some projects for example intranet portal for a company or organization, and one of the modules is to make SSO with an existing application and that we will load the application within an IFrame in our page, something seems very simple, but is it that simple in the client imaginations or he will find something else at the end with the delivery, so we must make some point clear to the customer from the beginning like:

A. Points related to the SSO:
1. SSO itself
2. Sign out
3. Session expiration
4. Browse directly to the application URL

B. Point related to the Frame:
1. Frame/Iframe
2. Header
3. Welcome Message
4. Navigation

A.1. SSO itself:
A group of questions we must know here depend on the case , is it a product or the client have the source code, can we add some pages or DLLs to the application, can we use cookies, what will be the authentication type in both applications, can we encrypt/decrypt, can we use ISA to authenticate the users, can we use MOSS SSO, is there a common membership provider, and so on.

A.2. Sign out:
Is it required to sign the user out from the portal if he click on sign out in the other application, or is it required to sign him out from the application if he click on sign out from the portal? Where I’ll redirect the user in the portal if he logged out from the application?

A.3. Session expiration
How we will manage the session expiration in any of the two applications, the user may expend more time on the application and his session on the portal is expired and vies versa. Is it required to keep the session live while the user is browsing the other application?

A.4. Browse directly to the application URL
What if the user type the URL of the application while he is already signed in on the portal, is it required to authenticate him on the application also or not.

B1. Frame/Iframe:
What about the look of the page, is it okay to have many scroll bars in the same page, is the size of the frame is sufficient to display the application screens? What about the color schema of the application, is it okay with the portal colors? So we can ask, what is the problem with a popup/new window?

B2. Header:
If the application has his own header, so you will have two headers in the same page which mean more lost space, and may be two logos.

B.4. Navigation:
The same here for the navigation, if the application has its own navigation, so we will have extra navigation and extra lost space, and for the usability it is not a good practice.

B3. Welcome Message:
In case the two applications have separated membership providers or user profiles, you will see in the same page for example, Welcome omourad and Welcome Osama Mourad, is it okay? And the user may sign in with another user in the application, you will see in the same page for example Welcome omourad and Welcome Ahmed El Said.

Tuesday, July 14, 2009

Paging SPList with ListItemCollectionPosition

Using ListItemCollectionPosition to make paging is somehow tricky, you have to take care if you are using order in your CAML query that you need to make paging on, as the parameters passed to ListItemCollectionPosition like “Paged=TRUE&p_ID=8” is not just to say star from the itemID = 8, when it is used like this, the paging will page based on the default order.

But if you want to order by example the created date in your CAML query, so you have to include that also in your ListItemCollectionPosition parameters, ex:


Where p_Created=20091208%2006%3a24%3a35 is the created date of the itemID = 8

If it is not used like that you will see unrealistic output.
A good idea to make paging is by making an array that its index will be the page index, and its value will be the ListItemCollectionPosition.PagingInfo like this:

void SetupPager(SPList tmpList, string queryString)
    SPQuery query = new SPQuery();
    query.Query = queryString;
    query.RowLimit = 5;
        SPListItemCollection itemList = tmpList.GetItems(query);
        query.ListItemCollectionPosition = itemList.ListItemCollectionPosition;
        if (query.ListItemCollectionPosition != null)

    while (query.ListItemCollectionPosition != null);


The above method can be called in the first time the page is opened, and you can add array to the viewstate and reload it with each postback and pass it to the query like this:
SPListItemCollectionPosition objSPListColPos = new SPListItemCollectionPosition(myPagingData [e.CurrentPage]);
query.ListItemCollectionPosition = objSPListColPos;

Wednesday, July 08, 2009

Forms Authentication with LDAP provider in Sharepoint - Part 2

We talked on how to configure a SharePoint site to use Forms Authentication on LDAP provider, but to complete the scenario we have to update the UI of the login page, this will work the same if any other forms authentication providers will be used.

Once the authentication provider is changed from the central administration the web.config file will be also updated as:

<authentication mode="Forms">
<forms loginUrl="~/layouts/ login.aspx" />

Where the login.aspx file is the default login page for SharePoint and you can go to C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS and update the login.aspx directly in this path, or make a copy from this page to any folder under your application ex. In a folder named login, you may also need to update the master page that this page is using, you can do this, by coping the new master page to the same folder, or copy simple.master from the same path and update it.

To change the master page that the login.aspx page use you can type:

<script runat="server">
void page_PreInit(object sender, EventArgs e)
this.Page.MasterPageFile = "~/login/mymasterpage.master";

This will update the master page on the fly as you can't just update the masterpage path from the aspx page.

Also, you may need to add StyleSheet file and some images to be displayed in this login page, and you can’t reference any file stored in the SharePoint libraries and you have to be authenticated first, so you can add a web.config file in the same folder that just have:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<allow users="*" />

This will allow the anonymous user (till now) to be able to request the css, js and images.

Tuesday, July 07, 2009

Forms Authentication with LDAP provider in Sharepoint - Part 1

I was working on an extranet SharePoint project, on the requirement gathering it was agreed to have windows authentication, but after the deployment and during the UAT, the customer reported to us that he didn’t like the popup login window, and he want it to be forms authentication to have a better look, one solution is to publish the site using the ISA server that will request the username and password from the user via a form and path it to the SharePoint. Here is a good article on how to be done.

Another solution is to use forms authentication with LDAP provider, and here are the steps to do it:

Configure the Central Administration and the application:
1. Extend the application
2. Update the authentication type of the extended application to forms authentication, add the membership provider name, ex: LdapMembership
3. In the extended site folder update the web.config file, add:

<membership defaultProvider="LdapMembership">
<add name="LdapMembership"
otherRequiredUserAttributes="sn,givenname,cn" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" />

4. In the above code, “devtfs08-ksa” is my server name, my domain name is “” The port number 389 is the default number, and userFilter=”(ObjectClass=*)” will get all the users and groups.
5. Update the web.config file of the central administration site to be able to set the site administrator, you can make the first user as the admin on the default zone, and the second user is the admin on the extended zone.
6. Browse to the extended site and test the login.

Configure the User Profiles import:
1. Go to the User Profiles and Properties in the SSP
2. Click on View Import Connections, delete the current Active Directory connection, and create a new one.
3. Select the type “LDAP Directory” and use the same values in the above membership provider as a values to the form.
4. Click on the button “Auto Fill …”
5. In the search base update it to use UserContainer value from the values above.
6. Update the user filters to use the same values as above.
7. Add a username and password to an account that can list the directory.
8. Start full import.

The same can be done for MySite, but the user will be asked for his username and password when he browse from the intranet portal to his Site in case they are both on different application polls which is recommended.