SharePoint SAML Migration Guide – Part 1 Planning

SharePoint SAML Migration Guide – Part 1 Planning

SharePoint SAML Migration Guide – Part 2 Trusted Identity

SharePoint SAML Migration Guide – Part 3 Migration

SharePoint SAML Migration Guide – Part 4 Web Applications

SharePoint SAML Migration Guide – Part 5 User Profiles

Part 1 – Planning

With most everything in SharePoint, planning and testing is key before slamming it into production. We will need to review some high-level concepts of SharePoint to help determine which patch works for your organization.

Clam Providers – This is the same as people picker. With Windows Authentication, there is an Active Directory (AD) Claim Provider which will send LDAP queries to AD. SAML authentication does not come with a claim provider unless we use -UseDefaultConfiguration.

Trusted Identity Provider – This is created in SharePoint to hook up the SAML provider. This may redirect to SAML providers like ADFS or other 3rd party providers. SharePoint’s PowerShell commandlet to display them is Get-SPTrustedIdentityTokenIssuer
Identity Claim – This is claim that will uniquely identify a user. This is usually Email, UPN, or sAMAccountName.

Migrating from Windows Claims to SAML Claims requires to know the different paths and choices we can make. We can migrate the users and groups using Move-SPUser or Convert-SPWebApplication (only available when using -UseDefaultConfiguration).

Choosing an Identity Claim

The identity claim is unique to the user and must be passed in the SAML token from the SAML provider. As stated above, this could be Email, sAMAccountName, UPN, or something different. The value should be unique for that user and no other users would have this value or we’re going to have trouble down the road with user profiles, permissions, migration, etc. Note: Currently the Convert-SPWebApplication does not work with UPN. This will be important to user profiles when they are imported.

Type

Windows Claim

ID

SAML Claim

User

i:0#.w|contoso\administrator

sAMAccountName

i:0#.t|SAML|administrator

Email

i:05.t|SAML|admin@contoso.com

UPN

i:0e.t|SAML|administrator@contoso.com
Group

c:0+.w|s-1-5-21-3687283648-2425067875-2523671615-101068

UseDefaultConfiguration

c:0+.t|SAML|s-1-5-21-3687283648-2425067875-2523671615-101068

Without UseDefaultConfiguation

c:0-.t|SAML|Group1 (unqualified)
c:0-.t|SAML|contoso\Group1 (qualified)
c:0-.t|SAML|contoso.com\Group1 (fully qualified)

Leave a Reply

Your email address will not be published. Required fields are marked *