SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Adding A Custom Claim to a Web App Policy via PowerShell in SharePoint 2010

Adding A Custom Claim to a Web App Policy via PowerShell in SharePoint 2010

  • Comments 3
  • Likes

I found this process to be much more difficult than anticipated, and then much easier than expected once done so I figured I would do a quick post on it.  The task at hand was to add a custom claim to a web app policy via PowerShell.  It all works simple enough via the central admin UI.  Once you get into PowerShell though I was initially taking the approach of creating a New-SPClaimsPrincipal to add to the policies for the zone.  Just for your at-Steve's-expense-amusement, here's a variety of different approaches that I tried (and far from all of the different permutations I looked at):

#$tp = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS with Roles"
#$cp = Get-SPClaimProvider -Identity "BasketballTeamProvider"

#$account = New-SPClaimsPrincipal -ClaimValue "DVK Jovenut" -ClaimType "Role" -TrustedIdentityTokenIssuer $tp
#$account = New-SPClaimsPrincipal -Identity "DVK Jovenut" -TrustedIdentityTokenIssuer $tp
#$account = New-SPClaimsPrincipal -Identity "c:0ǹ.c|basketballteamprovider|dvk jovenut" -IdentityType EncodedClaim
#$account = New-SPClaimsPrincipal -ClaimValue "DVK Jovenut" -ClaimType "http://schema.steve.local/teams" -ClaimProvider $cp.ClaimProvider
#$account = New-SPClaimsPrincipal -EncodedClaim "c:0ǹ.c|basketballteamprovider|dvk jovenut"

Many of them added the claim successfully, but it was clearly not the correct identifier because the policy was not implemented (i.e. I grant Full Control but users with that claim could not log in).  This was the "more difficult than anticipated" phase.  To get it to work it turned out that I really didn't need a New-SPClaimsPrincipal object at all.  Instead, here's the PowerShell that got the claim correctly added and working:

$WebAppName = "https://fc1"

$wa = get-SPWebApplication $WebAppName

$account = "c:0ǹ.c|basketballteamprovider|dvk jovenut"

$zp = $wa.ZonePolicies("Default")
$p = $zp.Add($account,"Claims Role")

So at the end of the day, just adding the custom claim as a simple string is what worked.  Note that to get that $account value, I just added the policy via central admin at first and copied the claim value it displayed when done.  Hopefully this will save you all some time should you need to do this in the future.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment