I ran into this issue really recently working at a client with a new, pretty basic ADFS environment that was acting as the identity provider, through an ADFS proxy server relay. I couldn’t wrap my head around why it wasn’t working, the groups themselves were resolving correctly, and even showing up in the identity data sources in the people picker. However, members of the AD securitygroup, (NOT the SharePoint group) were still being denied access to the SharePoint site.
To fix this issue follow these steps:
- Open the federation server box.
- Open the ADFS management console.
- Edit the claim rules for the relaying party trust
- Select the tab Issuance Transform Rules
- Edit the Send LDAP Attributes as Claims
- This should have:
- Claim Rule Name : Pass-through LDAP Claims
- Attribute Store : Active Directory
- Set: Token Groups unqualified names (Don’t Use: Token Groups – Qualified by domain name) | Outgoing ClaimType: Role
- Set: User-Principal-Name | Outgoing Claim Type : UPN
- Open the SharePoint management shell, run the following PowerShell script to create the issuer. If you have an issuer already made, remove it or execute the coordinating update commands. Make sure you replace the $certPath, $realm, and any of the string literals within $ap.
$certPath = your certification path
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certPath”)
$map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$map2 = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname” -IncomingClaimTypeDisplayName “Login” â€“SameAsIncoming
$map3 = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” â€“SameAsIncoming
$map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “Account ID” â€“SameAsIncoming
$realm = “urn:” + $env:ComputerName + “:adfs”
$signinurl = “https://yoursigninurl”
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description ADFS 2.0 -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2, $map3, $map4 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
If you are curious about the way to update, rather than create a new issuer, you can use the following. In the above, you may or may not need all those assertion mappings depending on how your trusted relay issuance rule setup:
$issuer = Get-SPTrustedIdentityTokenIssuer
$map=New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” â€“SameAsIncoming
Now you HAVE to apply KB hotfix 2536591 located here: http://support.microsoft.com/kb/2536591/en-us
Boom! Groups will work.
So when enumerating the SPWebs within a SPFarm to build a strongly typed SPWeb collection for whatever purpose your enumeration might look like this:
public static List WebsPreppedForIteration()
var collection = new List();
foreach (SPSite x in SPFarm.Local.Services.OfType().SelectMany
(svc => ((svc).WebApplications.Where
(webApp => !webApp.Properties.ContainsKey(“Microsoft.Office.Server.SharedResourceProvider”)).SelectMany
(webApp => webApp.Sites.Cast()))).Where
(x => !Equals(x.RootWeb.Title, “Central Administration”)))
I saw this in a code review today. The part I am wondering about is the SPWebApplication property bag to query the key for WCAM as opposed to do a clunky string SPWeb.Title comparison. Putting the keys out to standard output hasn’t yielded anything particularly evident, and I’m getting frustrated with the under-the-hood, unnecessary foreach loop with a fancy shirt on (the second LINQ query against the Title property(,
Does anyone know the key for WCAM?
There is a solution here, and that is for both businesses to be able to log into the software component order system. The manager of ARB Security Solutions is able to get the information he needs without thinking about what is going on behind the scenes to make that possible. He won’t need anything special in order to gain that access.
There are several steps that have to be followed to successfully offer access to a user that is in another security domain:
- The client from ARB Security Solutions trust domain has to send a request to the software component order system application that is within the Adam Buenz’s Software House trust domain.
- The application is redirecting the client to an issuer that is within the Adam Buenz’s Software House trust domain. However, the issuer won’t need to have any knowledge of who this issuer is to do so.
- The Adam Buenz’s Software House issuer then redirects the client to an issuer in the ARB Security Solutions trust domain. There must be a trust relationship in place for this to occur successfully.
- The ARB Security Solutions issuer is going to verify that the identity of the user is legitimate. Then it will send a token to the Adam Buenz’s Software House issuer.
- The token will be used to create another token that a user from ARB Security Solutions is able to use for the software component order system. As this token is sent to the application, some of the claims will be removed and others can be added if necessary in order for the software component order application to work properly.
- The application for the software component order tracking system will extract the claims of the client from the security token. Once everything has been authenticated then the authorization will be completed.
The issuer from Adam Buenz’s Software House will be the mediator between the application and the external user. The FP in place has a couple of responsibilities to cover. They have to develop a trust relationship with the ARB Security Solutions issuer. That is the only way it will be able to accept and understand the claims sent from ARB Security Solutions.
The FP must translate ARB Security Solutions claims into something that the software component order system can easily understand. The application is only going to accept claims from Adam Buenz’s Software House so there has to be an assignment of permission in place. Since the claims for ARB Security Solutions aren’t issued from Adam Buenz’s Software House there aren’t any roles here. The ARB Security Solutions claims have to establish the name of the company as well as the name of the employee. Transforming rules are used here to get one claim accepted by another. This is frequently referred to as claims mapping.
There is a claims rule language found in the ADFS so that you are able to successfully define the behavior of identity claims. These rules allow a set of conditions to be true so that you are actually able to issue claims. Right now we won’t be using the name of the employee but we will when we get to talking about the audit features.
When the manager of ARB Security Solutions connects to the software component order system they will have claims sent to the Adam Buenz’s Software House issuer who is also the federation provider. This will then allow them to be transformed into a new set that is going to be easily identified by the Adam Buenz’s Software House claims.
The solution here also involves a home realm discovery being put into place. The software component order application has to know which issuer out there is in use. That way they can properly direct users for authentication. If a manger at ARB Security Solutions opens a browser then they can be authenticated through the information in that. Therefore they don’t have to say which company they are with.
The software component order application will be able to solve the situation by allowing the users to access the web application . There is a query string found in the link. The web application will look for that during the request being processed. The value of the URI for the partner federation server will be easily identified.