For various reasons getting a claims based authentication web application up and working correctly with both an identity claim and a role claim has been troublesome to say the least. So I'm going to share here the steps just around creating the claims and the SPTrustedIdentityTokenIssuer.
1. Create the identity claim:
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
2. Create the role claim:
$map2 = New-SPClaimTypeMapping -IncomingClaimType " http://schemas.microsoft.com/ws/2008/06/identity/claims/role " -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
3. Include BOTH claims when creating your SPTrustedIdentityTokenIssuer:
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS v2" -Description "ADFS v2" -Realm "yourRealmName" -ImportTrustCertificate $yourCert -ClaimsMappings $map,$map2 -SignInUrl "https://urlToYourAdfsServer/adfs/ls" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
One of the keys here is that you need to do this WHEN you create your token issuer, you can't add it after the fact. This is one of the limitations of SPTrustedIdentityTokenIssuers that I will discuss in another post.
What if I have multiple Roles? When I try to add another role I get an error message stating " New-SPTrustedIdentityTokenIssuer : An item with the same key has already been added. "
Using your example I would add [ $map3 = New-SPClaimTypeMapping -IncomingClaimType " schemas.microsoft.com/.../role " -IncomingClaimTypeDisplayName "Role2" -SameAsIncoming ] and then add $map3 to the -ClaimsMappings section of the " New-SPTrustedIdentityTokenIssuer " command.
@Stephen, It sounds like you need to remove your existing Id Issuer first. You can't update the mappings once it's created. Use Remove-SPTrustedIdentityTokenIssuer to remove it, then try adding it with all 3 mappings. Also, see the "Planning Considerations..." post at blogs.technet.com/.../planning-considerations-for-claims-based-authentication-in-sharepoint-2010.aspx.
I got ADFS and SharePoint 2010 working with the Identity and Role claims you have mention above. However I can't figure out one thing. When I add a single user from the AD, I can log in with that user and everything works fine. The problem is when I try to add an AD group such as Domain Users, none of my AD users are able to log in. Any ideas?