SharePoint SAML Migration Guide – Part 2 Trusted Identity

SharePoint SAML Migration Guide – Part 1 Planning

SharePoint SAML Migration Guide – Part 2 Trusted Identity

SharePoint SAML Migration Guide – Part 3 Migration

SharePoint SAML Migration Guide – Part 4 Web Applications

SharePoint SAML Migration Guide – Part 5 User Profiles

Part 2 – Trusted Identity

The Trusted Identity Provider has two main options which will assist with the claim provider.

-UseDefaultConfiguration

This will provision an out of the box claim provider that will behave similar to the Windows Authentication’s claim provider.

The script below is to create the trusted provider with -UseDefaultConfiguration. Make the modifications to match your environment. More information on setup and mapping in ADFS check out my ADFS Migration post here.

 
$name = "ADFS" $description = "Description of Token Issuer" 
$signinURL = "https://adfs.contoso.com/adfs/ls" 
$realm = "urn:sp13:contoso" 
$adfscertPath = "C:\adfscert.cer" 
$IDClaim = "EMAIL" #Choose between ACCOUNT-NAME, EMAIL, OR USER-PRINCIPAL-NAME 
$adfscert = New-Object System.Security.Cryptography.X509Certificates.X509Certificates2($adfscertPath) 
New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -realm $realm -ImportTrustCertificate $ADFSCert -SignInUrl $signinURL -UseDefaultConfiguration -IdentifierClaimIs $IDClaim 

NOTE: This method is not compatible with custom claim providers like LDAPCP due to the systemID being a SID claim instead of the identifier claim.

The other choice is without the -UseDefaultConfiguration. We would use this method if we are wanting to use a 3rd party claim provider or the SAML provider is unable to pass Group tokens as SIDs. This will require us to map the identity claim and other claim(s), if required. This does not come with a claims provider so we will need a customer claim provider such has LDAPCP.

 
#claim mappings 
$email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming 
$upn = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming 
$Role = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming 
$name = "ADFS" $description = "Description of Token Issuer" 
$signinURL = "https://adfs.contoso.com/adfs/ls" 
$realm = "urn:sp13:contoso" 
$adfscertPath = "C:\adfscert.cer" 
New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -Realm $realm -ClaimsMappings $upn,$email,$role -SignInUrl $signinURL -IdentifierClaim $email.InputClaimType 

After we have the Trusted Identity Token Issuer created, we can move on to Part 3 – Migration.

Resources:

New-SPTrustedIdentityTokenIssuer – https://docs.microsoft.com/en-us/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer?view=sharepoint-ps

Plan for user authentication methods in SharePoint Server – https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/plan-user-authentication

Leave a Reply

Your email address will not be published. Required fields are marked *