SharePoint 2013 Configure User Profile Service For ADFS Provider

Overview

In previous blogs in the series we have discussed how to configure ADFS for use within SharePoint.  This short entry will demonstrate how to configure the User Profile Service Application (UPS) to use our newly created Trusted Claims Provider for the import of our users from AD.

Assumptions:

  • You have already created your Trusted Claims Provider
  • You have a newly provisioned UPS
  • Your Sync account has ‘Replicate Directory Changes’ permissions within active directory.  Steps to complete this change are documented here.

Configure Synchronization Settings

Once the UPA has fully provisioned navigate to the “Manage Profile Service: User Profile Service” page.  Here we first need to change the “Configure Synchronization Settings” to allow for Active Directory Import.

ups-adfs-01

On the this page simply toggle the radio button and select “Use SharePoint Active Directory Import” and the click “OK”.

ups-adfs-02

Now we can configure the sync connection to active directory.  Navigate to the “Configure Synchronization Connections” page.

ups-adfs-03

Here we’ll need to create a new connection.  Click on the “Create New Connection” link.

ups-adfs-04

Now the actual configuration begins.  There will be several things that need to be configured here.

ups-adfs-05

  1. Connection Name: 2008r2.local-SAML
    • This entry is arbitrary and is just for naming purposes.  I use the domain name that I am syncing from for the name and then since we are using SAML we’ll add that on the end.
  2. Fully Qualified Domain Name: 2008r2.local
    • Exactly as it sounds the fully qualified domain name of the domain you are syncing from.
  3. Authentication Provider Type: Trusted Claims Provider Authentication
    • Since this is what we are here for then we’ll change it to the proper provider.
  4. Authentication Provider Instance: ADFS SAML Provider
    • This will be the name of what ever you named the SAML provider in your environment.
  5. Account Name: 2008r2\sp_usersync
    • This will be the account for what you’ve chosen to do the import from active directory.  Remember that this needs “Replicate Directory Changes” permissions on the domain you are importing from.
  6. Password/Confirm Password: *******
    • Self explanatory
  7. Port: 389
    • Whatever port you use for AD.  Default is 389.
  8. Filter out Disabled users: Checked
    • This filters out any disabled users in AD and prevents them from being imported.

Now that we’ve entered in the relevant information we can finish the configuration by selecting the containers we wish to import from AD.

ups-adfs-06

  1. Populate Containers: This will browse AD for the containers we wish to import.
  2. Drill down to the containers that contain the users you wish to import.  In my environment I will simply import the “Users” container.
  3. Click “OK” to finish the sync configuration.

Our final step is to update the property mappings so we have the proper property mapped to the profile.

Modify User Properties

Navigate back to the “Mange Profile Service” page and select “Manage User Properties

ups-adfs-07

Scroll down the User Properties page until you find the entry for “Claim User Identifier”.

ups-adfs-08

We can see that it is set to “samAccountName”.  We’re going to change that so click next to the “Claim User Identifier” and choose “Edit” from the drop down.

ups-adfs-09

Scroll down to the “Property Mapping for Synchronization“.  Remove the current entry since we are going to replace it.

ups-adfs-10

In the “Add New Mapping” section we will create our new mapping.  In the “Attribute” text box type in “mail” and then click “Add”.

ups-adfs-11

We can see its been added so click “OK” at the bottom of the page.

ups-adfs-12

Scroll back down to the “Claim User Identifier” and verify that the attribute has been updated.

ups-adfs-13

Verify

Now that everything is configured and set go ahead and start a profile sync, or wait for one to occur on its own.  Then verify that the profiles have been imported.

ups-adfs-14

Finally navigate to the “Manage User Profiles” page.

ups-adfs-15

Search for an account and verify that the account name is appropriate mapped email address.

ups-adfs-16

Advertisements
Tagged with: , , ,
Posted in ADFS, SharePoint 2013, UPS
10 comments on “SharePoint 2013 Configure User Profile Service For ADFS Provider
  1. snowburnt says:

    I’ve been following your guide, everything works great! Only issue I’m having now is in the top right it shows the claims identifier (mail) instead of their preferred name. Any way to fix that?

    • whorn76 says:

      I’ve only had this issue when a user first visits a site and then it will correct itself. When you look up the user in the User Profile Service in Central Administration do you see that they have their name correctly populated?

  2. Denis says:

    Nice article, thanks. I have a question: yes, Active Directory Import is a faster option and doesn’t require Synchronization service running, but there is a major limitation. In this article http://www.harbar.net/archive/2012/07/23/sp13adi.aspx Spence is saying that “We cannot map AD attributes to “system” SharePoint Profile properties. These are the guys whose name begins with the SPS- prefix.” Claim User Identifier is one of those, it’s got SPS-ClaimID internal name and I cannot change default mapping from samAccountName to email, it’s just grayed out. How did you manage to overcome this limitation? Am I missing a CU enabling this feature?

    Thank you.

    • Denis says:

      I did further research and found a blogpost with the same question. The solution was to run normal instance of IE without elevation to work with Central Admin. When CA site is accessed via shortcut in Start menu it is opened in IE with elevated permissions and that spoils the play. Tricky!

  3. Michele says:

    good post! I have a question: I have only one web app configured with ADFS, the other ones are Claims. I have 2 sync connections, one for standard Windows and the other with ADFS provider, both configured to import users from the same container in AD. When I run a profile import thought (full or incr) I get an error “More than one DN specified for the same profile”
    I suspect I should have only the ADFS connection and not the Windows one?
    because otherwise users would have 2 different user profiles.
    Would I need to delete all the normal domain\username user profiles and then populate the ADFS ones by running a full sync?

  4. Srikanth says:

    Hey guys,

    I’ve been working on a similar situation but I’ve a doubt. To get the connection working with adfs, should the SharePoint server be able to resolve the Domain name? In my case I’ve xyz.com and abc.com. SharePoint is installed on Xyz.com and configured to allow users from abc.com. The authentication is working, but when I try to create a UPS it says Ldap server unavailable. Any ideas?

    • whorn76 says:

      Yes, you will need to be able to resolve the domain name otherwise it can’t connect to import the accounts from AD. Were you able to import the accounts from XYZ.com just fine?

      • Srikanth N says:

        Thank you for the reply Whorn76. No, I was unable to import the user profiles. I’m reading some articles that says, we just need to open port 389 on the adfs server and everything should work fine. I’m getting balder by the minute because I’m unable to configure.

  5. guycox says:

    How does this actually use ADFS? If the users are actually from an identity provider other than AD how do those users get synched — You are really just swapping the SAMAccount name for the email as the claim identity (the UPN) which you could do without ADFS…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: