In this article we will show some of the unintended side-effects of implementing SAML Claims authentication. Additionally we will attempt to provide a solution for these problems that has been brought forth by the SharePoint community.
- SharePoint 2013 and ADFS 2.0 Installation Guide
- Lab Environment
- Install Windows Certificate Authority
- ADFS Prerequisites
- How to Install and Configure ADFS 2.0
- Configure User Profile Service for ADFS 2.0
- Configure Search to Crawl Web Applications Using Claims and ADFS 2.0
- Configure People Picker to resolve ADFS Identities
- Adding Host Name Site Collections to Existing Web Application Configured to use ADFS 2.0
- Validate Configuration with “Claims Viewer Web Part”
ONe of the side effects of using a SAML authentication provider in SharePoint is that once you start using that provider the people picker will no longer try to resolve users. For example when trying to add a user to the site the people picker will parrot back whatever is typed in the box:
You will also notice that it brings back two entries; EmailAddress and Role. Each one of these entries relates to a claim that is being passed back by ADFS. In this lab environment these are the only two claims we have mapped.
Fortunately there has been some independent development work that have created a few solutions. One of these solutions is a LDAP/AD claims provider located at Codeplex and can be found here.
Install and Deploy LDAPCP Solution
We’ll go ahead and download the solution file and place it on our SharePoint server. Any server that is a member of the farm will do. Start up an elevated privileged SharePoint Management Shell.
Next add the solution to the farm using the “Add-SPSolution” cmdlet and then install the solution via the “Install-SPSolution” cmdlet.
<br />Add-SPSolution –LiteralPath<br />Install-SPSolution –Identity “ldapcp.wcp” –GACDeployment<br />
Wait a couple of minutes to make sure the solution has had time to deploy. We can verify the deployment in Central Administration. Navigate to “System Settings”.
Under “Farm Management” navigate to “Manage Farm Solutions”.
Here we can see that he solution has indicated that it is “Deployed”.
Associate LDAPCP with the Trusted Claims Provider
Now that the solution has been installed and deployed we need to associate it with the Trusted Claims Provider.
We will need to get the name of your claims provider if you don’t already know it. Assuming you only have one claims provider (which is all that is supported for this codeplex solution) then you can retrieve the name needed for the deployment with the following commands.
<br />Get-SPTrustedIdentityTokenIssuer|select name<br />
Use the following PowerShell script to associate the new claims provider to the Token Issuer.
<br />$ap = Get-SPTrustedIdentityTokenIssuer “PROVIDER NAME”<br />$ap.ClaimProviderName = “LDAPCP”<br />$ap.Update()<br />
That’s it! If everything went smoothly you should now be able to properly resolve account within SharePoint using SAML claims authentication.