Documents‎ > ‎1. Installation‎ > ‎

2. Install Security Token Service (STS)​​

Note: Trial version of Shetab SharePoint Live Authentication use already installed STS in authtest.shetabtech.com so you do not need to read this document if using the trial version.

SharePoint redirect sign-in process for Trusted Identity provider to a STS web site, after you purchase the product you should install STS web application in a web server. This STS web site exists in STS folder where you extract the solution.

Requirement

SharePoint Live Authentication Version 3.4 or upper
  1. IIS server with .NET 4.5
  2. You should have Administrator privilege
  3. Any valid or self-signed certificate (PFX). If you don’t have you can create it by reading How to create Self-Signed Certificate.
    This certificate will just be used between STS and SharePoint Server, so for this purpose self-signed with long expiration time is better than valid certificate in this case.
SharePoint Live Authentication Version 3.3 or older
  1. IIS server with .NET 3.5
  2. Microsoft Windows Identity Foundation 3.5 (WIF). 
    • WIF 3.5 already installed by Microsoft SharePoint 2010. If your STS server does have Microsoft SharePoint 2010 you can Install WIF 3.5 from here.
    • Run iisreset after installing WIF 3.5
  3. You should have Administrator privilege
  4. Any valid or self-signed certificate (PFX). If you don’t have, you can create it by reading How to create Self-Signed Certificate.
    This certificate will just be used between STS and SharePoint Server, so for this purpose self-signed with long expiration time is better than valid certificate in this case.

Create STS Web Site

  1. Retrieve a Commercial edition of Shetab SharePoint Live Authentication and extract it.
  2. Copy "STS" folder from extracted folder of Shetab SharePoint Live Authentication to "wwwroot" folder. You can copy it anywhere but wwwroot already have default security required for IIS to run web applications, if you choose another location you should set required permission for IIS in that folder. default wwwroot location is C:\inetpub\wwwroot\
  3. Open Internet Information Service (IIS) Manager. You can open it via "InetMgr.exe" command.
  4. Select your webserver and right click, then select "Add Web Site…" item.
    IIS-AddWebSite
  5. In site name write "Shetab Live Auth STS"
  6. In "Physical path" select the folder that you copy "Shetab SharePoint Live Authentication STS", example:
    “C:\inetpub\wwwroot\STS”
  7. Select appreciate binding so the web application should be reachable from the internet, the URL to this application is a Sign-In URL that you should set when you Install Shetab SharePoint Live Authentication as Trusted Identity provider.IIS-WebSiteProp
  8. Click OK.
    For More Information in Microsoft: Add a Web Site to IIS Site​
Note: 
  • SharePoint Live Authentication Version 3.4 or upper go to IIS "Application Pools"  and make sure .NET CLR Version is set to V4.0.
  • SharePoint Live Authentication Version 3.3 or older go to IIS "Application Pools"  and make sure .NET CLR Version is set to V2.0.

Open the Certificate Manager for Computer Account

You should install sign-in certificate in server where you install STS. This certificate does not need to be valid, because it shared between your SharePoint server and STS server, so you can use any self-signed certificate and install it in the trusted store. if you don’t have a certificated you can create it by reading Create Self-Signed Certificate You should install the a certificate to your computer account and let IIS to use its private key to allow STS web site sign the sign-in messages between itself and SharePoint web applications.
  1. Open a Command Prompt window.
  2. Type "mmc" and press the ENTER key. Note that to view certificates in the local machine store, you must be in the Administrator role.
  3. On the "File" menu, click "Add/Remove Snap In".
    cert-snapin
  4. Click "Add".
  5. In the Add Standalone Snap-in dialog box, select "Certificates".
    22
  6. Click "Add".
  7. In the Certificates snap-in dialog box, select "Computer account" and click Next.
  8. In the Select Computer dialog box, click "Finish".
    afss
  9. In the "Add Standalone Snap-in" dialog box, click "Close".
  10. On the "Add/Remove Snap-in" dialog box, click "OK".
  11. In the Console Root window, click Certificates (Local Computer) to view the certificate stores for the computer.
    More Information in Microsoft: How to: View Certificates with the MMC Snap-in.

Install Certificate

After Open Certificate Manager for Computer Account you should install the a certificate to your computer account and let IIS to use its private key to allow STS web site sign the sign-in messages between itself and SharePoint web applications.
  1. Expand "Certificates (Local Computer)" and "Personal", then select "Certificates" node.
  2. Right click on "Certificates" and from shortcut menu select "All Tasks" then right click on "Certificates" and from shortcut menu select "All Tasks" then select "Import".
  3. "Certificate Import Wizard" will appear, follow the wizard and select your "pfx" file as filename.


  4. Finish the Wizard by leaving other value as default.
  5. Right Click on "Imported Certificate" from right pane.
  6. Select All Tasks then Select "Manage Private Keys"​. This item will not appear if the certificate does not import from a PFX file.
  7. Add "IIS_IUSRS" then select "Read" permission from it.
  8. Press "OK".

Declear the Certificate to SharePoint Live Authentication STS

Now you should tell a SharePoint Live Authentication STS to use this certificate.
  1. Find the "CER" file of your certificate. "CER" file usually come with "PFX" file, it also can be exported from a "PFX" file.
  2. Open the certificate (CER file) by double click on it.
  3. Go to "Details" tab and select "Serial Number".

  4. Write the "Serial Number" somewhere without any space. Example:
    af655225af100bb643fa0fa462481f7d
  5. Open "web.config" of "SharePoint Live Authentication STS" in notepad. Example: 
    "C:\inetpub\wwwroot\STS\Web.config"
  6. Find "signingCertificate" tag and set the "serialNumber" attribute to the Serial Number of the certificate that you wrote in previous step. Example:
    <signingCertificate storeName="My" serialNumber="‎‎af655225af100bb643fa0fa462481f7d"/>
  7. Save "web.config".
  8. Now you setup a "SharePoint Live Authentication STS" web site and you can set its URL as sign-in URL for Trusted Identity provider. To set it as sign-in page just edit "vars.bat" and set "SigningUrl" value to your STS site url. To take effect you need to reinstall the trusted provider by executing "zReinit.bat" from Configure folder.