Adding Host Name Site Collections to existing SAML Claims Token Issuer

Overview

In previous blog entries we have discuss adding ADFS and SAML Claims to a SharePoint 2013 environment.  Most examples work with a single Host Name Site Collection (HNSC) example and for that example everything works fine.  However what if you want to add more than one HNSC?  Well then we have a few extra steps that we have to do.

Problem

In my currently lab I have a single Relying Party that I setup for my main site (https://spt.2008r2.local).  I can navigate to this site just fine and log in properly with SAML claims.

hnsc-adfs-01

I also have a HNSC created for my Enterprise Search Center (https://search.2008r2.local).  Unfortunately when I navigate to this page I don’t get the expected result.

hnsc-adfs-02

When trying to navigate to the search center we are redirected back to the main root site.  It appears that since SharePoint can’t resolve the attempted site within the Provider Realms previously setup that it just picks up the first one in the list and defaults to it.

Create New Relying Party

While not ideal there is a solution for this problem.  We simply need to create a Relying Party within ADFS for each HNSC we want to be able to navigate.  To create a Relying Party we follow the same exact steps we followed to create the initial party discussed here.  The only difference is that we substitute the url for the new HNSC and create a new realm for it.

hnsc-adfs-03

hnsc-adfs-04

Add URL and Realm to TokenIssuer

Once we’ve created the new relying party we just need to add the URL and Realm to the existing SPTrustedIdentityTokenIssuer.  On one of your SharePoint servers go ahead and launch the SharePoint Management Shell as an administrator.

hnsc-adfs-05

Using the “Get-SPTrustedIdentityTokenIssuer” grab your current provider.

$tp = Get-SPTrustedIdentityTokenIssuer –Identity “<Your Provider name here>”

hnsc-adfs-06

Now add the URL and Realm of the newly created Relying Party to your existing TokenIssuer.

$uri = new-object System.Uri("<your HNSC URL>")
$tp.ProviderRealms.Add($uri, "<your Realm for the newly created Relying Party>")
$tp.Update()

hnsc-adfs-07

Done!

Success

You should now be able to navigate to the original site still.

hnsc-adfs-08

As well as the other site that we created the new Relying Party for.

hnsc-adfs-09

Advertisements
Tagged with: , , , ,
Posted in ADFS, HNSC, SAML Claims, SharePoint 2013, Troubleshooting
2 comments on “Adding Host Name Site Collections to existing SAML Claims Token Issuer
  1. Drew says:

    I am using a single trusted identity token issuer (ADFS 2.0) with multiple realms for different sites (urn:sharepoint:int-site1 and urn:sharepoint:int-site2). I added my provider to both sites through central administration and the first site works fine and allows my external user to authenticate. The second site gives me an access denied page (which I expected) and asks that I request access. When I submit the request for access I get an error message back stating “The specified user username@email.com could not be found”. What could I be missing?

  2. gregory15 says:

    I wanted to let you know – I was having a terrible problem getting an additional realm setup in Sharepoint 2010 – it really sucked. Like, I have my TIP assigned with the default realm to the WWW site … and I wanted to also add MYSITE to be auth with the TIP as well. But, obviously, MYSITE kept being redirected back to WWW as auth happened. So, I used your script as opposed to the following – and, for whatever reason it worked.

    BAD SCRIPT:
    $ap = Get-SPTrustedIdentityTokenIssuer “SAML_TIP”
    $uri = new-object System.Uri(“https://stg3-mysite.TomSelleckFanClub.com”)
    $realm = “urn:okta:sharepoint:kwup112345678PWRDBLP”
    $ap.Update()

    Thanks!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: