SharePoint SAML Migration Guide – Part 1 Planning
SharePoint SAML Migration Guide – Part 2 Trusted Identity
SharePoint SAML Migration Guide – Part 3 Migration
SharePoint SAML Migration Guide – Part 4 Web Applications
SharePoint SAML Migration Guide – Part 5 User Profiles
Part 2 – Trusted Identity
The Trusted Identity Provider has two main options which will assist with the claim provider.
-UseDefaultConfiguration
This will provision an out of the box claim provider that will behave similar to the Windows Authentication’s claim provider.
The script below is to create the trusted provider with -UseDefaultConfiguration. Make the modifications to match your environment. More information on setup and mapping in ADFS check out my ADFS Migration post here.
$name = "ADFS" $description = "Description of Token Issuer" $signinURL = "https://adfs.contoso.com/adfs/ls" $realm = "urn:sp13:contoso" $adfscertPath = "C:\adfscert.cer" $IDClaim = "EMAIL" #Choose between ACCOUNT-NAME, EMAIL, OR USER-PRINCIPAL-NAME $adfscert = New-Object System.Security.Cryptography.X509Certificates.X509Certificates2($adfscertPath) New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -realm $realm -ImportTrustCertificate $ADFSCert -SignInUrl $signinURL -UseDefaultConfiguration -IdentifierClaimIs $IDClaim
NOTE: This method is not compatible with custom claim providers like LDAPCP due to the systemID being a SID claim instead of the identifier claim.
The other choice is without the -UseDefaultConfiguration. We would use this method if we are wanting to use a 3rd party claim provider or the SAML provider is unable to pass Group tokens as SIDs. This will require us to map the identity claim and other claim(s), if required. This does not come with a claims provider so we will need a customer claim provider such has LDAPCP.
#claim mappings $email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming $upn = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming $Role = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming $name = "ADFS" $description = "Description of Token Issuer" $signinURL = "https://adfs.contoso.com/adfs/ls" $realm = "urn:sp13:contoso" $adfscertPath = "C:\adfscert.cer" New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -Realm $realm -ClaimsMappings $upn,$email,$role -SignInUrl $signinURL -IdentifierClaim $email.InputClaimType
After we have the Trusted Identity Token Issuer created, we can move on to Part 3 – Migration.
Resources:
New-SPTrustedIdentityTokenIssuer – https://docs.microsoft.com/en-us/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer?view=sharepoint-ps
Plan for user authentication methods in SharePoint Server – https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/plan-user-authentication