Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application

Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application

  • Comments 5
  • Likes

For various reasons getting a claims based authentication web application up and working correctly with both an identity claim and a role claim has been troublesome to say the least.  So I'm going to share here the steps just around creating the claims and the SPTrustedIdentityTokenIssuer.

1. Create the identity claim:

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

2. Create the role claim:

$map2 = New-SPClaimTypeMapping -IncomingClaimType " http://schemas.microsoft.com/ws/2008/06/identity/claims/role " -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

3. Include BOTH claims when creating your SPTrustedIdentityTokenIssuer:

$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS v2" -Description "ADFS v2" -Realm "yourRealmName" -ImportTrustCertificate $yourCert -ClaimsMappings $map,$map2 -SignInUrl "https://urlToYourAdfsServer/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

One of the keys here is that you need to do this WHEN you create your token issuer, you can't add it after the fact.  This is one of the limitations of SPTrustedIdentityTokenIssuers that I will discuss in another post.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment