App registration

Submitted by Erik Wegner on

Register the certificate

In this step we tell SharePoint to trust our certificate. The necessary commands are listed in MSDN and must be run inside SharePoint Management Shell.

$publicCertPath = "C:\Certs\server.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)
New-SPTrustedRootAuthority -Name "HighTrustSampleCert" -Certificate $certificate

$realm = Get-SPAuthenticationRealm
$specificIssuerId = "a7892e99-1563-4ca2-afdd-55131997195f"
$fullIssuerIdentifier = $specificIssuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -Name "High Trust Sample Cert" -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker
iisreset

A GUID is required in line 6, which uniquely identifies the issuer of that certificate. A GUID can easily be generated.

SharePoint can validate incoming requests as soon as you execute these commands. By using the parameter -IsTrustBroker in line 8 you allow the calling app to determine which user account will be used in the context of the request. Just to be crystal clear: The calling app can tell SharePoint which user account is running the request. SharePoint will do no further authentication, it absolutely trusts the app in this part.

Register the app

Before a app can access the site collection, it must be added there. During the provisioning the administrator has to approve the app's permissions.

Start with an empty site collection with the template "Developer site":

Create a new site collection

Open the url http://sharepointserver/site/_layouts/15/AppRegNew.aspx to start the process. Generate the App Id and the App Secret, enter a titel and the App Domain. Besides the App Id, the other fields are not relevant but required.

Register a new app

Use the Create button and you will see the success message:

The app identifier has been successfully created.

This part equals the submission of an public app to the SharePoint-App-Store.

Grant permissions to the App

Open the url http://sharepointserver/site/_layouts/15/AppInv.aspx to grant permissions to the app. This is equal to adding the app from the app catalog to the site.

AppInv with permission reguest

Paste the following text into the Permission Request XML box to allow read access to the web and everythin underneath. You can find more information about permissions in the MSDN.

<AppPermissionRequests>
 <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

Once you submit the form you confirm the permission request.

Approve the requested permissions