Friday, June 25, 2010

FBA Users in SharePoint 2010

One of our sites scheduled for upgrade to SharePoint 2010 uses Forms Based Authentication (FBA). Various blogs can be found on how to set up SharePoint 2010 to connect to a FBA database. But, one critical difference is how the new Claims Based Authentication (FBA in SP2010 speak) hands over an Idenentity to SharePoint 2010.

The change from integrated security to a Claims Based is basically this: In Claims Based mode, the SharePoint site no longer handles verifying Identities; that is handled through the new Security Token Service (STS). Previously a user's integrated FBA Identity was something like "FBAMembership:EtherDragon" now, in 2010, the STS hands over my Identity with something like "i:0#.f|FBAMembership|EtherDragon" and, as far as 2010 is concerned, that is a different user.

The fix was to write a quick Web Part for 2010 that replaces all FBA user Identities in all groups with the correct STS one.

Here's some code:
(Code)
SPWeb oWeb = SPContext.Current.Web;

foreach (SPGroup myGroup in oWeb.Groups)
{
string wrongFormat = "fbamembership:";
SPUserCollection myUsers = myGroup.Users;
List usersToDelete = new List();

foreach (SPUser userCandidate in myUsers)
{
if (userCandidate.LoginName.Length >= wrongFormat.Length)
if (userCandidate.LoginName.Substring(0, wrongFormat.Length) == wrongFormat)
{
usersToDelete.Add(userCandidate);
}
}

foreach (SPUser myUser in usersToDelete)
{

string loginName = "i:0#.f|fbamembership|
" + myUser.LoginName.Substring(wrongFormat.Length);
string eMail = myUser.Email;
string name = myUser.Name;
string notes = myUser.Notes;

myGroup.RemoveUser(myUser);
myGroup.Update();
myGroup.AddUser(loginName, eMail, name, notes);
myGroup.Update();
}
}
(End Code)

Without this little code block, we would have had to go through about 2000 user entries in various groups to remove and replace the users through the SharePoint UI.