In previous blogs in the series we have discussed how to configure ADFS for use within SharePoint. This short entry will demonstrate how to configure the User Profile Service Application (UPS) to use our newly created Trusted Claims Provider for the import of our users from AD.
- Lab Environment
- Install Windows Certificate Authority
- ADFS Prerequisites
- How to Install and Configure ADFS 2.0
- Configure User Profile Service for ADFS 2.0
- Configure Search to Crawl Web Applications Using Claims and ADFS 2.0
- Configure People Picker to resolve ADFS Identities
- Adding Host Name Site Collections to Existing Web Application Configured to use ADFS 2.0
- Validate Configuration with “Claims Viewer Web Part”
- You have already created your Trusted Claims Provider
- You have a newly provisioned UPS
- Your Sync account has ‘Replicate Directory Changes’ permissions within active directory. Steps to complete this change are documented here.
Configure Synchronization Settings
Once the UPA has fully provisioned navigate to the “Manage Profile Service: User Profile Service” page. Here we first need to change the “Configure Synchronization Settings” to allow for Active Directory Import.
On the this page simply toggle the radio button and select “Use SharePoint Active Directory Import” and the click “OK”.
Now we can configure the sync connection to active directory. Navigate to the “Configure Synchronization Connections” page.
Here we’ll need to create a new connection. Click on the “Create New Connection” link.
Now the actual configuration begins. There will be several things that need to be configured here.
- Connection Name: 2008r2.local-SAML
- This entry is arbitrary and is just for naming purposes. I use the domain name that I am syncing from for the name and then since we are using SAML we’ll add that on the end.
- Fully Qualified Domain Name: 2008r2.local
- Exactly as it sounds the fully qualified domain name of the domain you are syncing from.
- Authentication Provider Type: Trusted Claims Provider Authentication
- Since this is what we are here for then we’ll change it to the proper provider.
- Authentication Provider Instance: ADFS SAML Provider
- This will be the name of what ever you named the SAML provider in your environment.
- Account Name: 2008r2\sp_usersync
- This will be the account for what you’ve chosen to do the import from active directory. Remember that this needs “Replicate Directory Changes” permissions on the domain you are importing from.
- Password/Confirm Password: *******
- Self explanatory
- Port: 389
- Whatever port you use for AD. Default is 389.
- Filter out Disabled users: Checked
- This filters out any disabled users in AD and prevents them from being imported.
Now that we’ve entered in the relevant information we can finish the configuration by selecting the containers we wish to import from AD.
- Populate Containers: This will browse AD for the containers we wish to import.
- Drill down to the containers that contain the users you wish to import. In my environment I will simply import the “Users” container.
- Click “OK” to finish the sync configuration.
Our final step is to update the property mappings so we have the proper property mapped to the profile.
Modify User Properties
Navigate back to the “Mange Profile Service” page and select “Manage User Properties”
Scroll down the User Properties page until you find the entry for “Claim User Identifier”.
We can see that it is set to “samAccountName”. We’re going to change that so click next to the “Claim User Identifier” and choose “Edit” from the drop down.
Scroll down to the “Property Mapping for Synchronization“. Remove the current entry since we are going to replace it.
In the “Add New Mapping” section we will create our new mapping. In the “Attribute” text box type in “mail” and then click “Add”.
We can see its been added so click “OK” at the bottom of the page.
Scroll back down to the “Claim User Identifier” and verify that the attribute has been updated.
Now that everything is configured and set go ahead and start a profile sync, or wait for one to occur on its own. Then verify that the profiles have been imported.
Finally navigate to the “Manage User Profiles” page.
Search for an account and verify that the account name is appropriate mapped email address.