Validate Package

Sitecore ALM and governance part 1: Validate your deployment packages – how to keep your website stable

When writing code for Sitecore, this code should someday be deployed to an existing Sitecore environment. Preferably, this should happen “the first time right”. One of our guidelines to achieve this is: Don’t overwrite Sitecore files. Don’t update existing files of other packages. Don’t upgrade assembly versions. Don’t break your site. It might cause a lot of trouble without knowing where to look. When we were still working with SharePoint, there was an internal mechanism to create and remove deployment packages. Developers had to do their best to overwrite out of the box files, as packaging mechanisms were introduced which explicitly required to select the files that you wanted to deploy. I was (and I am) wondered that Sitecore doesn’t offer this feature (well, not as I expected it), and thus I decided to write a blogpost on what shortcomings we see, how to solve them and how to verify that things will good right.

Source code for the Sitecore Validate Webdeploy packages is provided on github.

Continue reading


Multiple Site Manager error: The requested document was not found

Recently our admins faced an error in one of our Sitecore environments that we couldn’t explain. Sitecore tried to serve a site that it shouldn’t serve, which caused a nasty error. Digging through the logs didn’t help us and due to the fact that the logs didn’t tell us anything, our admins had problems pinpointing the problem.

Continue reading


Third party libraries used by Sitecore

At Achmea, we made the strategic decision to use Sitecore as platform for all of our websites, we’ve got hundreds of them. To do this at enterprise level, on such a scale, it’s important that we have guidance on infrastructure, development, deployment, security, content, DMS, just to be sure that the stable environment that we deliver, will stay stable. We all know that it’s important to work with the right Sitecore assemblies (correct version) and not to overwrite them. But Sitecore doesn’t only deliver Sitecore assemblies, but 3rd party assemblies as well, for example: Microsoft assemblies, TweetSharp, Facebook API, Google API’s, et cetera. This blogpost tells us what 3rd party components Sitecore ships with, what license is tied to it and what version is delivered. It currently only includes Sitecore 8.0 update 5 and Sitecore 8.1 update 1.

And please try to guess the answer to now: “What is the year of the eldest component that ships with Sitecore?”. You will be surprised 😉

Continue reading

How to add support for Federated Authentication and claims to Sitecore using OWIN

Out of the box, Sitecore only offers their own forms-based authentication provider, which requires to add every user to the Sitecore membership database. At Achmea, we had the requirement to facilitate login via ADFS, as we are using our user accounts amongst different systems, web applications and apps. In addition to the absence of this functionality, it’s not possible to work with claims as well.

This blogpost describes how to add and use the Federated Authentication middleware using OWIN in combination with Sitecore and how to access the claims that are provided using the federated login. The solution supports a multi-site scenario, which can handle different identity providers and multiple realms. This opens up possibilities to use external identity providers, for example via ADFS or Windows Azure Active Directory.

The source code for federated login component can be found on github. Please feel free to contact me via twitter/mail/github if there are any questions! A special thanksto Kern Herskind Nightingale of Sitecore: We discussed a lot on the integration patterns for Federation and Sitecore.

Continue reading


Setup your development environment for High trust Saml Claims based SharePoint provider hosted applications using OWIN and an easy to use STS – part 3

Since SharePoint 2013, web applications are created with claims based authentication by default. This works with together with High trust provider hosted apps, based on windows authentication as well. Whenever ADFS with its SAML claims pops in, it gets complicated: SharePoint needs to be configured, High trust provider apps need to configured and the app needs to communicate with SharePoint – using saml claims. Mix in a development environment, where, very likely, no ADFS is available and it gets complicated. Until now ;).

This blogpost describes how to setup an identity provider STS for development environments, how to configure SharePoint to use this STS and how to develop a web application that uses SAML claims and can communicate with SharePoint. All using OWIN, as it easens up development. More information on the STS and the OWIN configuration can be found in my previous blogpost in this series:

Continue reading


Configure claims based web applications using OWIN WsFederation middleware

In my previous blogpost about setting up a simple STS for web application development I wrote on how to setup this web application using the classic web.config modifications. But this can be a lot easier, by using the OWIN middleware WsFederation module. This blogpost describes how to setup a secured web application using the OWIN WsFederation modules; This is the second blogpost in a blogpost series of three, where we work towards a simple (local development) solution to build High trust claims based SharePoint provider hosted apps .

  1. How to setup a simple STS for web application development
  2. How to configure WsFederation for webapplications using OWIN (this blogpost)
  3. How to mix in SharePoint 2013 and hight trust claims based provider hosted apps using OWIN and the thinktecture Embedded STS

Configuration using OWIN

OWIN is the Open Web Interface for .Net. The definition according to

OWIN defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools.

Freely explained: it defines a standard interface between .Net web servers and web applications and should make it possible to run ( web applications on other servers than, for example, IIS. In this case, the OWIN modules for WsFederation make it very easy to configure authentication, as opposed to the classic web.config configuration. Daniel Roth summarized it in one simple image in his blogpost:

configuration comparison between web.config and OWIN - property of Daniel Roth

configuration comparison between web.config and OWIN – property of Daniel Roth

Why so easy?

The WsFederation module can be configured in such a way, that it requests the federation metadata of the STS. This Federation metadata contains information on the Identity Provider with information on the signing certificates, provided claims and much more info, which normally have to be configured by hand, which often go wrong. All other information that has to be provided, is the requested realm.

In the case of the Thinktecture Embedded STS, there was no Federation Metadata endpoint, but I added one and offered it as a pull request to the owners of the Embedded STS. Writing one was pretty simple, but getting it to work, caused a major “challenge”: I had some severe issues to get the endpoint to work, but hey, I got the job done ;).

This STS is so easy, because it doesn’t require any form of setup:

  1. Edit the EmbeddedStsUsers.json, to add users and/or claims
  2. Run the application

In addition to the easy setup, it always returns the information you request, without the hassle of configuring reply-addresses, realms, claim rules or whatever – the perfect solution when developing new webapplications!

How to configure

To create a webapplication that makes use of OWIN, do the following:

  • Create a new web application
  • Install OWIN and the WsFederation middleware
  • Configure the application
  • Run

Create a new webapplication

First, create a new webapplication. It doesn’t matter which kind of application you choose, it works both with Webforms and MVC web applications. Make sure to choose “No Authentication” in the wizard, as the authentication will be handled by the middleware, not by the build-in ASP.Net authentication facilities.

Second, make sure to add an “Authorize” attribute to the landing page or HomeController, this forces and authentication challenge. All logged in people will have access to this resource.

Make sure to use the attribute in System.Net.Http for webforms, and System.Net.Mvc for MVC applications

Install OWIN and the WsFederation middleware

Install the required packages using the following commands:

  • install-package Microsoft.OWIN – this installs OWIN and the Microsoft.OWIN modules in your webapplication
  • install-package Microsoft.OWIN.Host.SystemWeb – this one injects the Microsoft OWIN infrastructure
  • install-package Microsoft.Owin.Security.WsFederation – installs the WsFederation middleware and all prerequisites
  • install-package Owin.Security.Cookies

Configure the application to run the middleware

First, the application needs to be configured to run the OWIN middleware. To do this, add a new class. This class is initialized on startup when marked with the OWIN startup attribute. A template has been provided: Make sure to choose the OWIN startup template when creating the new class:

The template looks as follows:

The namespace has been marked with the OwinStartUp attribute. This means for this assembly that the Startup1 class will be used to configure the application. The Configuration class will always be used to configure the application and accepts an IAppBuilder parameter as input. This is the generic interface to configure OWIN middleware. The

The next, and last step, is to configure the application to use the WsFederation middleware:

public void Configuration(IAppBuilder app)
app.UseCookieAuthentication(new CookieAuthenticationOptions());
new WsFederationAuthenticationOptions
MetadataAddress = "http://localhost:29702/FederationMetadata",
Wtrealm = "urn:SupaDoopaRealm",
Wreply = "http://localhost:16635/"

Line 5 configures the default login option to use “Cookies”. In this example, we use a constant string to specify this, but a plain old string with the text “Cookies” will be sufficient as well.

Line 6 sets the authentication options for the Cookie Authentication, which is empty in this case.

Line 8 is the line of code, where all the magic happens. The WsFederationAuthentication module is loaded, with 3 parameters:

  • MetadataAddress – endpoint where to get the wsfederationmetadata from
  • Wtrealm: the requested realm – in the case of the thinktecture embedded STS, this can be any value, is it always returns the requested realm
  • Wreply – Normally, this parameter can be specified on the STS itself, but in case of the EmbeddedSTS, this parameter has to be provided, otherwise, you’ll be redirected to the STS itself.


Hit F5 and see the magic happen. Whenever you press the login button, you’ll be redirected to the EmbeddedSTS, because the Authorize attribute triggered the authentication challenge:

After signing in, you are authenticated and redirected to the page that triggered the challenge. And because all logged in users are authorized in this example, you will have permission to view the page.


Setup claims based authentication in a web application using OWIN is very easy, it just consists of pulling in a few packages, define a startup class, and configure the WsFederation Middleware. It’s way easier then doing this manually, due to the fact that the magic is handled by the middleware, using the WsFederation Metadata.

Next blogpost will explain on how to use the Embedded STS, SharePoint 2013 and High trust Claims based provider hosted applications using OWIN. That’s a mouth full for a title 😉

The Embedded STS sources can be downloaded here (own fork of the Thinktecture.IdentityModel).

The example project for configuring claims based web applications using OWIN can be found here.

Embedded STS Sample

How to setup a simple STS for web application development – Part 1 of 3

When developing claims based web applications which need to connect to ADFS, Azure or any other STS, it’s not always possible to connect to an existing environment, for example, due to security, the absence of a test environment or an unwilling admin ;). To solve this, a lot of people try to setup a local AD, ADFS, which can cause a lot of trouble, especially in an Enterprise environment. This setup is not very convenient, especially when you just want to create a claims based application. Whenever SharePoint and Claims based hight trust provider hosted apps are thrown into the game, the inconvenient setup turns into a very complex situation.

Luckily, there is a very easy solution for this! In the next two blogposts I will show to solve this:

  1. How to setup a simple STS for web application development (this blogpost) – how to create a simple STS using Thinktecture embedded STS and configure the web application using the classic web.config
  2. How to setup claims based authentication via OWIN
  3. How to mix in SharePoint 2013 and hight trust claims based provider hosted apps using OWIN and the thinktecture Embedded STS

Continue reading


Claims based authentication – The signature verification failed

I was working on a small addition to the Thinktecture EmbeddedSTS, to ease up local development for our development teams, who are building a lot of MVC applications and SharePoint provider hosted apps. We don’t want to bother them with setting up a separate AD and ADFS, so we decided to use a simple, small STS: the Thinktecture Embedded STS. One of the actions was to add a FederationMetdata endpoint. This is a small improvement, as it’s now possible to setup claims based identities via OWIN, which is way easier to setup than via the typical web.config configuration. But there was one nifty error that was, in my case, very hard to find, but easy to fix. It turned out that the signature node may not contain any formatting, this means that spaces, line feeds and carriage returns should not be included in this Federationmetadata file

Continue reading

Create an organizational account to administrate azure when having a Microsoft Account

When you created your Microsoft Azure subscription with a personal Microsoft Account, it’s likely that you won’t be able to use some azure services, for example, the new Power BI service, as they require an organizational account. This blogpost describes on how to create an organizational account and delegate the azure administrator role to this account, so you’ll be free to use any azure service.

Continue reading

sitecore rocks banner

How to use Sitecore Rocks with Visual Studio 2015 preview

If you want to use the recently released Visual Studio 2015 preview together with Sitecore rocks for sitecore development, you won’t be able to install this plugin from the Visual Studio Extensions gallery: you won’t even find installable plugin while searching for the plugin. This blogpost describes how to get this plugin to work.

Continue reading