The project that I’ve been working on is an appointment scheduling application.  The basics are that the application maintains a master calendar of a various number of people and they each specify when they are available for appointments and for what type of appointment.  These appointments are displayed in the program but are also written out to their exchange calendars.  Keeping these appointments in order would be all fine and dandy except the appointment aren’t read-only.

EWS does have a function that will supposedly aid in synchronizing the calendar to the database.  The function called “SyncFolderItems” takes a sync state (which it returns to you when you run the function) and using this sync state information EWS returns any changes to the calendar since that sync.  However it doesn’t seem to work all that well and appears to be quite fragile (it is probably worth noting that I am working against an Exchange 2007sp1 server and not 2010).  The sync might work at first but after some amount of time or some condition it just stops returning any changes at all.  And it’s hard to debug since EWS just tells me no changes happened.

This is the MyAppointment class that is used in the program.

public class MyAppointment
{
    public int Id { get; set; }
    public DateTime Start { get; set; }
    public DateTime End { get; set; }
    public string Subject { get; set; }
    public string Body { get; set; }

    public string ExchangeId { get; set; }
}

The following is the code for using the EWS sync function.

public string SyncChanges(string mailboxId, IEnumerable<MyAppointment> appointments, string syncState)
{
    var service = InitializeService(mailboxId);

    var changeLog = service.SyncFolderItems(
        new FolderId(WellKnownFolderName.Calendar, mailboxId),
        PropertySet.FirstClassProperties, null, 512,
        SyncFolderItemsScope.NormalItems, syncState);

    foreach (var changedItem in changeLog)
    {
        var appt = appointments.Where(a => a.ExchangeId == changedItem.ItemId.UniqueId).FirstOrDefault();

        if (appt != null)
        {
            switch(changedItem.ChangeType)
            {
                case ChangeType.Update:
                    var appointment = (Appointment) changedItem.Item;
                    appointment.Start = appt.Start;
                    appointment.End = appt.End;
                    appointment.Subject = appt.Subject;
                    appointment.Body = appt.Body;

                    // write the change back to exchange

                    break;
                case ChangeType.Delete:

                    var newAppointment = new Appointment(service);

                    newAppointment.Start = appt.Start;
                    newAppointment.End = appt.End;
                    newAppointment.Subject = appt.Subject;
                    newAppointment.Body = appt.Body;

                    // write the change back to exchange

                    break;
                default:
                    break;
            }
        }
    }

    return changeLog.SyncState;
}

However the above code doesn’t work for whatever reason.  Instead I wrote the following function that essentially does the same thing, but only syncs data 2 months ahead.  It takes a few more lines of code but using Linq it makes it easy to do the comparisons.

public void SyncChanges(string mailboxId, IEnumerable<MyAppointment> myAppointments)
{
    // get appt one day before and 1 month out
    var searchFilter = new SearchFilter.SearchFilterCollection(LogicalOperator.And);
    searchFilter.Add(
        new SearchFilter.IsGreaterThanOrEqualTo(AppointmentSchema.Start, DateTime.Now.AddDays(-1)));
    searchFilter.Add(
        new SearchFilter.IsLessThanOrEqualTo(AppointmentSchema.End, DateTime.Now.AddMonths(2)));
    searchFilter.Add(
        new SearchFilter.IsEqualTo(ItemSchema.ItemClass, "IPM.Appointment"));
    // get back 512 results max
    var view = new ItemView(512);
    // make the remote call
    var service = InitializeService(mailboxId);
    var results = service.FindItems(
        new FolderId(WellKnownFolderName.Calendar, mailboxId), searchFilter, view);

    // get the distinct ids from exchange
    var exchangeIds = results.Select(a => a.Id.UniqueId);

    // get the distinct ones we have
    var dbIds = myAppointments.Select(a => a.ExchangeId);

    // find the ids that are in the db but not in exchange
    var missing = dbIds.Where(a => !exchangeIds.Contains(a));

    var newAppts = myAppointments.Where(a => missing.Contains(a.ExchangeId)).Select(
                        a => new Appointment(service) {Start = a.Start
                                                     , End = a.End
                                                     , Subject = a.Subject
                                                     , Body = a.Body});

    // get the exchange objects we do have in the db
    var appts = results.Where(a => !missing.Contains(a.Id.UniqueId) && dbIds.Contains(a.Id.UniqueId))
                       .Select(a => (Appointment)a);

    var changedAppts = new List();

    // find the changed appointments
    foreach (var appointment in appts)
    {
        // get the db appointment object
        var appt = myAppointments.Where(a => a.ExchangeId == appointment.Id.UniqueId).FirstOrDefault();

        // compare the time stamps and determine if we need to make a change
        if (appt != null)
        {
            if (appt.Start != appointment.Start || appt.End != appointment.End)
            {
                // make the changes
                appointment.Start = appt.Start;
                appointment.End = appt.End;
                appointment.Subject = appt.Subject;
                appointment.Body = appt.Body;

                // add it to the list of ones needed to change
                changedAppts.Add((Item)appointment);
            }
        }
    }

    // write the new and updated objects to exchange
}

The end result is that if a user moves or deletes an appointment managed by the program it can on interval go back and sync the calendar.

We covered topics such as SSL, SQL Encryption, Cross Site Scripting (XSS), Cookie Policies, Html Encoding, Cross Site Request Forgery (CSRF) and Insecure Direct Object Reference.

The demo is also bundled with Scott’s talk on Data Validation and Html5.

You can find the demo and slides here.

My requirements were that it would be easily reusable, easy to setup on the page with one to many pins and that I could turn on and off features with a quick parameter change.  If you would like to see a demo please go here.  This plugin essentially wraps around a small portion of the Bing Maps API, but it’s the portion that was required for my needs.

Html

The Html is simple div container to house the map and another div container to house the coordinates.  The coordinates are stored inside a dl.  It’s not exactly compliant with standards have invalid attributes, however it’s on the list to use the data attribute that is compatible with jQuery 1.4.3.  But for now this works.  The information for the pins (names/descriptions) are stored in dt and dd tags.

<div id="map" style="margin: 0px 0px 20px">
     <div>
          <dl>
               <div class="" lat="38.53701730537018" lng="-121.7490667104721">
                    <dt >Mrak Hall</dt>
                    <dd>Home of AG Dean's Office</dd>
               </div>
               <div class="" lat="38.539411128558385" lng="-121.74984186887741">
                    <dt >Shields Library</dt>
                    <dd>The Main Library of Davis</dd>
               </div>
          </dl>
     </div> <!-- End of coordinate container -->
</div> <!-- End of map container –>

Javascript

The script couldn’t be more simple.  Below is a basic call to initialize a map in a map container with an id of “map” and seta height of 400px.

$(function(){
     $("#map").bingmaps({height: "400px"});
});

Parameters

There are several parameters that can be passed into the plugin:

Downloads

You can download the plugin here.

Enjoy!

What I discovered was that the UserPrincipal class does in fact have a property called PermittedLogonTimes, but the catch is that there is no documentation on how to set the property for specific hours and to make this more confusing it is a byte[].

So after a little bit of playing around in Active Directory, setting the permitted logon times and reading it back out in C# it finally made sense.  The property is basically a byte[21] with a mask to cover the hours the user is allowed to logon.  Each day of the week is broken down into 3 byte values (refer to the table below for the index and the hours).

Each hour in each individual block has a specific mask value.  To get a specific time span, all you need to do is add up the values for the hours you want.  Refer to the following table:

For example, if you would like to allow logon on Monday from 1pm-5pm your byte array would be all zeros except value at index 5 would be 224 and index 6 would be 1.

I’ve written the following classes to aid in calculating the byte masks:

LogonTime – is used to pass the information for logon for a specific day.

PermittedLogonTime – used to calculate the actual values that need to be passed to Active Directory.

http://gist.github.com/568549

Update 5/6/2011 : Thanks to comments and testing by Simone Greci, we came to the conclusion that the masks provided here are for Pacific Standard Time (PST, GMT -8).  I would like to update this code when I have time but keep in mind of this limitation.

Update 10/18/2011: I’ve finally gotten around to rewriting the code.  I rewrote everything from the ground up so it also takes into account the timezone.  By default it should go to your machine’s time zone, but can be passed specific timezones.  I’ve included code that converts the AD byte mask back into a list of the LogonTime objects.  To make it easier to use, I’ve compiled it into a project so you can just import the dll and use it.  The project is up on github (here).

There is a demo console app that compares the output to my old code that worked for PST (-8 GMT).

Usage is fairly straight forward:

To create a new logon time using your machine’s time zone:

var time = new LogonTime(DayOfWeek.Monday,
new DateTime(2011, 1, 1, 8, 0, 0),
new DateTime(2011, 1, 1, 10, 0, 0));

To use a specific time zone:

var zone = TimeZoneInfo.FindSystemTimeZoneById("Pacific Standard Time");
var time = new LogonTime(DayOfWeek.Monday,
     new DateTime(2011, 1, 1, 8, 0, 0),
     new DateTime(2011, 1, 1, 10, 0, 0), zone);

To get the byte mask to submit to AD:

var zone = TimeZoneInfo.FindSystemTimeZoneById("Pacific Standard Time");
var time = new LogonTime(DayOfWeek.Monday,
     new DateTime(2011, 1, 1, 8, 0, 0),
     new DateTime(2011, 1, 1, 10, 0, 0), zone);
var times = new List<LogonTime>();
times.add(time);
var mask = PermittedLogonTimes.GetByteMask(times)

To get the list of times from the AD mask:

byte[] mask;// populate from AD
var times = PermittedLogonTimes.GetLogonTimes(mask);

*The resulting times that are parsed have invalid dates, just the hour ranges.

I hope this helps those of you using those permitted logon times. Enjoy!

Prerequisites:

1. Have the basic TFS install completed along with the configuration.
2. FQDN you would like to use, for this example I will be using “mycompany.com”
3. A certificate from a Microsoft Certificate Services Server (this cannot be a self-signed certificate because Visual Studio Team Explorer will not accept it)

To request the certificate from Microsoft Certificate Services use the following steps:
• Open up the IIS Manager and select the server
• Select “Server Certificate”
• In the Actions pane > select “Create Domain Certificate”
• Follow the steps in the “Create Certificate” dialog.

Here is some basic information I’ll be using during this guide:

Steps:

Configure Sharepoint:

• Open up SharePoint Administrator
• Navigate to the “Operations” tab  
• Select “Alternate Access Mappings” 
• Click on “Edit Public URLs”
• Select the “Default Web Site”
• Change the “Default” from “http://tfs-server” to “https://mycompany.com”
• Click “Save”
• That should be it with Sharepoint Administrator.
• One last thing is that we need to test the site.  When I did the initial configuration I was unable to navigate to the Sharepoint site from the server it self but was able to from client machines.  The site would prompt me for credentials over and over but would not let me into the site.  So just open a browser from the server and try to navigate to “https://mycompany.com/sites/defaultcollection”.  If that doesn’t work then you need to follow the next step, otherwise you are complete.
• I came across this blog post that describes the very problem.  In the end I had to disable the loopback check, but different solutions may solve your problem.

Configure Reporting Services:

• Open up “Reporting Services Configuration Manager”
• Select “Web Service URL”
• In the right panel, select “tfs-cert” as the SSL Certificate and 443 as the SSL Port.
• Select Apply
• Select “Report Manager URL”
• In the right panel, select “Advanced”
• In the “Advanced Multiple Web Site Configuration” window that pops up click “Add” under the “Multiple SSL Identities for Report Manager”
• The “Add a Report Manager SSL Binding” window will pop-up, just select “tfs-cert” and it will automatically get the URL from the certificate.
• Click “OK” until you get back to the main Reporting Services Configuration window.
• That should be it for the Reporting Services Configuration.

Configure IIS:

• Open IIS Manager, you should see something similar to the image below in your left panel.
  
• Select “Default Web Site” and select “Bindings” in the Action Pane.
• Click “Add” in the “Site Bindings” pop-up.
• Change the following values:
  

  Type:	https
  Port:	443
  SSL Certificate:	tfs-cert

  

• Click “Ok” in the Add Site Binding and “Close” in “Site Bindings”
• You will need to perform the same steps for the “Team Foundation Server” website except use port 8088 instead of 443.
• That will be it for IIS Manager.

Configure Firewall:

You will need to ensure that your firewall is allowing 443 and 8088 in.

Configure TFS

• Open up “Team Foundation Server Administration Console”
• Navigate to the "Application Tier"
• In the right pane, select "Change URLs".
• In the "Change URLs" pop up, change the Notification URL to “https://mycompany.com:8088/tfs"
• Click “Ok”, we are finished configuring the Application Tier.
• Navigate to the “Sharepoint Web Applications”
• In the right pane, select the “http://tfs-server” application and click “Change”
• Change the values in the “Sharepoint Web Application Settings”
  

  Friendly Name:	mycompany.com
  Web Application URL:	https://mycompany.com
  Central Administration URL:	http://tfs-server:17012
  Default Location:	sites

• Navigate to “Reporting” in the left pane.
• In the right pane select “Edit”
• The “Reporting” window will popup.  Select the “Reports” tab.
• Select the “Populate URLs”, this will cause the drop downs in the tab to refresh with what the Report Server has configured.
  
• Change the drop downs in the URL section to the https addresses that were created earlier.
  

  Web Service:	https://mycompany.com/reportserver
  Report Manager:	https://mycompany.com/reports

• Once you click “Ok”, be sure to click “Start Jobs” in the Reporting pane.

Congratulations!  You have finished the configuration.  Enjoy!

Update (5/18/2010): Thanks to the comment by Jason, I have added an extra step to configure the Application Tier in the TFS Administration Console.

I’ve found lots of guides on the internet on setting up SSL/HTTPS on Team Foundation Server 2008, but not much on 2010 RTM.  It’s pretty much the same process but I had to figure a few things out differently because of IIS7 and just my personal preferences.

First of all, if you are using Visual Studio 2008 you will need to make sure you have the following (doesn’t really have anything to do with enabling SSL/HTTPS, but you’ll need it to connect to TFS 2010 anyways):

• Download and install the Visual Studio Team System 2008 Service Pack 1 Forward Compatibility Update for Team Foundation Server 2010 (Installer) found here.  Fun little name isn’t it?
• Ensure that you’ve installed Visual Studio 2008 SP1 after installing TFS Team Explorer.
  You’ll first need two SSL certifications, one for SharePoint and one for TFS application layer.  It maybe possible to use one SSL certification but I like to have two so i can give each a different address.  Ex. mycompany.com and mycompanysource.com.  First I tried using two self-signed certificates but that didn’t work because Team Explorer doesn’t like self-signed certificates, but the certificate for SharePoint can use a self-signed certificate.  We used Microsoft Certificate Services to provide the certificate necessary for the TFS application layer.
  To request the certificate from Microsoft Certificate Services use the following steps:
• Open up the IIS Manager and select the server
• Select “Server Certificate”
• In the Actions pane > select “Create Domain Certificate”
• Follow the steps in the “Create Certificate” dialog.

Once you have your two certificates, follow the next configuration steps:

Configure IIS

• Open IIS Manager and select the server
• Expand the “Sites”, you should see a list similar to the following
  
  Default Web Site = SharePoint Site
  Team Foundation Sever = TFS Application Layer
  SharePoint redirector = redirector for SharePoint (I’ll explain later)
• Select the “Default Web Site”
• In the Actions Pane select “Bindings…”
• In the Site Bindings window, select “Add”, which will bring up the “Edit Site Binding” page.
  
• Select the following:
  Type: https
  IP Address: all unassigned
  Port: 443
  SSL certificate: the certificate you created for SharePoint
• Click “Ok”, then “Close” in the “Site Bindings” window.
• Perform the same steps with the “Team Foundation Server” site, except use port 8088 for the port and the certificate created for the TFS application layer.
• Close IIS Manager, we are done with it.

Configure Firewall

• Open “Windows Firewall with Advanced Security”
• Select ‘”Inbound Rules”
• Find “Team Foundation Server TFSWebSite:8080”, right click and choose disable.
• In the right Actions pane, select “New Rule”
• In the “New Inbound rule wizard” fill the following:
  Type: Port
  TCP/UDP: TCP
  Specific local port: 8088
  Allow the Connection
  Domain,Private,Public
  Name: Name of your choice

Configure SharePoint

• Open up the SharePoint Administrator
• Select the “Operations” tab, then under “Global Configuration” select “Alternate Access Mappings”
  
• In the “Alternate Access Mappings” select “Edit Public URLs”
• First select the “Alternate Access Mapping Collection” and choose the “Default Web Site” in the pop-up.
• Fill in the default and Internet addresses.
  Default: http://servername (leave default alone)
  Internet: https://mycompanysource.com
• Click “Save”

At this point you should have SSL setup for both the TFS SharePoint sites and the TFS application layer.  In Team Explorer you should be able to add a server by entering “https://mycompanysource.com:8088/tfs” as the address.

The only thing left to do is make the SharePoint sites a bit easier to access.  Right now you would have to access the SharePoint site by going to https://mycompany.com/tfs/defaultcollection, but wouldn’t it be nice to just type mycompany.com in the address bar and be redirected?  Once you complete these final steps you should be able to do just that.

• Open up IIS manager.
• Select your server and right click on “Sites” and choose “Add Web Site”
• Fill in the following information:
  Site Name: “SharePoint Redirector”
  Physical Path: doesn’t matter i use c:\inetpub
  Binding: Leave as port 80 and defaults.
• Click “Ok”
• Select the redirector and in the main window double-click on “HTTP Redirect”
• Check Redirect request to destination and fill in your target destination. i.e.. https://mycompany.com/sites/defaultcollection
• Click “Apply” in the Actions Pane

Ok that’s all I got for this post, today.  Enjoy your newly secured TFS server.

Update (4/26/2010):  Apparently there is a little funny business with accessing the report server from the outside network.  Instead of using the FQDN to get to the report server it uses the computer name.  So outside the local network it doesn’t work from the SharePoint site.  There are some steps to get it working, but I can’t quite get SharePoint over SSL to work properly on the server itself resulting in some problems with the TFS configuration tool.

First setting up SharePoint SSL slightly differently than I’ve stated above similar to the instructions here. Then the following steps are the issues.

Part of the problem is that I cannot access https://mycompany.com/tfs/defaultcollection from the server itself, but I can access it from other computers.  I believe that because of this problem changing the configuration using TFS Administration Console is a problem.  Clicking on the Grant Access button

Fill in the information for Url for Team Foundation Server : to https://mycompanysource:8088/tfs.  Then in the “SharePoint Web Application” select the https://.. site from the drop down.  When you click on ok I get an error message saying TFS cannot access the SharePoint site.

Once this issue with the SharePoint SSL is resolved it should also resolve configuring Reporting Services for SSL, then modifying the configuration for TFS Administration Console for SSL reporting services.

Configuring SSL for reporting services is pretty straight forward.

Open up the Reporting Services Configuration Manager and go to the “Web Service URL”.  Configure the SSL Certificate and the SSL Port.

So one problem is sort of holding up the whole issue with configuring the server to accept the reporting services over SSL.  Anyone have any ideas, I’m open to suggestions.

Update (5/7/2010) : I’ve been working on some of the issues from this guide and figured out a good portion of them.  Please take a look at my updated guide here.

One thing to understand about TFS is that it is really 3 separate applications working together, TFS Application Layer, Microsoft SQL Server Reporting Services and Microsoft Sharepoint Services.  And since they don’t really talk with each other about permissions, these need to be granted individually to each application.

I’ve come up with the following steps, even though they may not be best practices they work for my environment.  Before beginning I recommend setting up a security group that will contain all of your users that you wish to have access to the TFS server.

TFS Application Layer Permissions

• Open up the Team Foundation Server Administration Console
• Expand Server Name > Application Tier > Team Project Collections
• Select “Group Membership”
• 
• In the “Global Groups on http://localhost:8080/tfs/defaultcollection” window click “New…” button.
• In the “Create New Team Foundation Server Group” fill in “User” as “Group Name” and a Description if you choose.  And click “Ok”
• 
• In the “Global Groups on http://localhost:8080/tfs/defaultcollection” window, select the newly created group and click the “Properties” button.
• In the properties window add your users that you wish to have access to all projects.

Sharepoint Permissions

Sharepoint permissions need to be sort of granted individually for each project that you have.  But with the way I have it set up it should be slightly easier to manage.  All users are granted to the main site in Sharepoint.  Each project’s site is a sub site of the main site and can inherit the permissions from the main site.  The first part is granting permissions to the main site.

• Log in to your Sharepoint site (most likely http://localhost/tfs/defaultcollection) as an administrator
• Select “Site Action” > “Site Settings” > “Advanced Permissions”
• In the permissions page you will want to add all of your users as contributors, this is where that security group will come in handy as well.

The next step is for each project that you have going on, you need to set it to inherit permissions.

• Once again log into your Sharepoint site.
• Select the project you would like to change (url example http://localhost/tfs/defaultcollection/projectname)
• Select “Site Action” > “Site Settings” > “Advanced Permissions”
• In the permissions page select “Actions” > “Inherit Permissions”

In the end permissions will be automatically updated if you edit the permissions on the main site or if you decided to setup the Active Directory group changing membership in the group.

Report Server Permissions

• Log in to your reporting services management site (usually http://localhost/reports)
• Click on “Properties” > “New Role Assignment”
• In the “New Role Assignment” screen, add your user (or security group) and select the “Browser” role.
• 

Congratulations your permissions are now granted so everyone in your group can access all the Sharepoint sites and all the source control.

So I have written a little extension method that enables specific html formatting to be allowed while still escaping potentally dangerous html.

public static class HtmlHelperExtensions
{
     private const string htmlTag = @"<{0}>";

     public static string HtmlEncode(this HtmlHelper helper, string text)
     {
          // encode the string
          string encodedText = HttpUtility.HtmlEncode(text);

          // put the text in a string builder
          StringBuilder formattedEncodedText = new StringBuilder(encodedText);

          // replace the escaped characters with the correct strings to allow formatting
          // <p>
          formattedEncodedText.Replace(string.Format(htmlTag, @"p"), @"<p>");
          // </p>
          formattedEncodedText.Replace(string.Format(htmlTag, @"/p"), @"</p>");

          // <strong>
          formattedEncodedText.Replace(string.Format(htmlTag, @"strong"), @"<strong>");
          // </strong>
          formattedEncodedText.Replace(string.Format(htmlTag, @"/strong"), @"</strong>");

          // <em>
          formattedEncodedText.Replace(string.Format(htmlTag, @"em"), @"<em>");
          // </em>
          formattedEncodedText.Replace(string.Format(htmlTag, @"/em"), @"<em>");

          // <span style="text-decoration:underline;">
          string underline = @"<span style="text-decoration: underline;">";
          string underlineReplacement = @"<span style=""text-decoration:underline;"">";
          formattedEncodedText.Replace(underline, underlineReplacement);

          // </span>
          // only find the spans that are related to the span for underlining
          var temp = formattedEncodedText.ToString();
          // for each instance of underline
          foreach (int i in temp.IndexOfAll(underlineReplacement))
          {
               // find the first instance of </span> after the underline span and replace
               var index = temp.IndexOf(string.Format(htmlTag, @"/span"), i);

               // delete the string at that location
               temp = temp.Remove(index, string.Format(htmlTag, @"/span").Length);

               // add in the new string at that location
               temp = temp.Insert(index, @"</span>");
          }

          formattedEncodedText = new StringBuilder(temp);

          // <ul>
          formattedEncodedText.Replace(string.Format(htmlTag, @"ul"), @"<ul>");
          // </ul>
          formattedEncodedText.Replace(string.Format(htmlTag, @"/ul"), @"</ul>");

          // <ol>
          formattedEncodedText.Replace(string.Format(htmlTag, @"ol"), @"<ol>");
          // </ol>
          formattedEncodedText.Replace(string.Format(htmlTag, @"/ol"), @"</ol>");

          // <li>
         formattedEncodedText.Replace(string.Format(htmlTag, @"li"), @"<li>");
         // </li>
         formattedEncodedText.Replace(string.Format(htmlTag, @"/li"), @"</li>");

         formattedEncodedText.Replace(@" ", @" ");

         return formattedEncodedText.ToString();
     }
}

You can find the example provided by DotNetOpenAuth for Asp.net MVC here. I am using version 3.4.1, so things may change but hopefully not in a newer version.

Requesting Authentication from OpenId Provider

To submit a request to authenticate all you need is the below code.  The first line builds a claims request to ask the Open Id provider for some pieces of information.  In my example below I am only asking for the user’s email address.  The second line handles making the request and redirecting the user to the provider for authentication.

var claimsRequest = OpenIdHelper.CreateClaimsRequest(OpenIdHelper.RequestInformation.Email);
returnOpenIdHelper.Login(openid_identifier, claimsRequest);

Validating Authentication from OpenId Provider

To validate a request is even easier,  the OpenIdHelper has a ValidateResponse function that will return true if the user is valid or false if not.  If the user is valid the oepnIdUser parameter will be populated with the user’s information.  If there was an error the message parameter will contain the error message to do with what you please.

Authentication.OpenIdUser openIdUser;
string message;

if (OpenIdHelper.ValidateResponse(out openIdUser, out message))
{
    // do some work
}

public class OpenIdUser
{
 /// <summary>
 /// Essentially the userid
 /// </summary>
 public string ClaimedIdentifier { get; set; }

 public DateTime? Birthdate { get; set; }
 public string Country { get; set; }
 public string Email { get; set; }
 public string FullName { get; set; }
 public string Gender { get; set; }
 public string Language { get; set; }
 public string Nickname { get; set; }
 public string PostalCode { get; set; }
 public string TimeZone { get; set; }
}

Putting it together I have the following actions in my account controller.

[AcceptPost]
 public ActionResult Authenticate(string openid_identifier)
 {
 var claimsRequest = OpenIdHelper.CreateClaimsRequest(OpenIdHelper.RequestInformation.Email);
 return OpenIdHelper.Login(openid_identifier, claimsRequest);
 }

 /// <summary>
 /// Response from OpenId provider telling is user is authentic or not
 /// </summary>
 /// <param name="returnUrl"></param>
 /// <returns></returns>
 [ValidateInput(false)]
 public ActionResult Authenticate()
 {
 Authentication.OpenIdUser openIdUser;
 string message;

 if (OpenIdHelper.ValidateResponse(out openIdUser, out message))
     {
          // do some work
     }
 }

My OpenIdHelper can be downloaded at http://gist.github.com/323195

OpenId Provider Selector

It’s really a matter of preference but I picked the OpenId Selector.  I chose it because it’s simple to use.

<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>

<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
 LogOn
</asp:Content>
<asp:Content ID="Content3" ContentPlaceHolderID="HeaderContent"  runat="server">
 <link href="../../Content/openid.css" rel="stylesheet"  type="text/css" />
 <script src="../../Scripts/openid-jquery.js"  type="text/javascript"></script>
 <script type="text/javascript">
 $(document).ready(function() {
 openid.init('openid_identifier');
 });
 </script>
 </asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">

<!-- Simple OpenID Selector -->
<% using (Html.BeginForm("Authenticate", "Account", FormMethod.Post, new { @id = "openid_form" }))
 { %>

 <input type="hidden" name="action" value="verify" />

 <fieldset>
 <legend>Sign-in or Create New Account</legend>

 <div id="openid_choice">
 <p>Please click your account provider:</p>
 <div id="openid_btns"></div>
 </div>

 <div id="openid_input_area">
 <input id="openid_identifier" name="openid_identifier" type="text" value="http://" />
 <input id="openid_submit" type="submit" value="Sign-In"/>
 </div>
 <noscript>
 <p>OpenID is service that allows you to log-on to many different websites using a single indentity.
 Find out <a href="http://openid.net/what/">more about OpenID</a> and <a href="http://openid.net/get/">how to get an OpenID enabled account</a>.</p>
 </noscript>
 </fieldset>

<% } %>

</asp:Content>

It could just be me, but I had a strange problem with the plug-in and had to make a minor change to get it to function properly.  In the situation where I have previously selected an OpenId provider, the next time I come to the page and try to select a different provider it still goes to the original provider that was selected.

In the openid-jquery.js plug-in, I had to change line 169 in the setOpenIdUrl function from :

hidden.value = url;

to

$(hidden).val(url);

Well that’s all I got for my first post, hope it’s at least somewhat useful to someone other than me.  Any feedback or suggestions would be appreciated.