SharePoint SAML Migration Guide – Part 4 Web Applications

SharePoint SAML Migration Guide – Part 1 Planning

SharePoint SAML Migration Guide – Part 2 Trusted Identity

SharePoint SAML Migration Guide – Part 3 Migration

SharePoint SAML Migration Guide – Part 4 Web Applications

SharePoint SAML Migration Guide – Part 5 User Profiles

The web application decision depends on a few different things. We need to keep in mind that we need the default zone to have Windows Authentication enabled for the crawler. This comes with some unintended issues that we can run into.

Authentication Picker

Enabling more than one authentication in the same zone will cause SharePoint’s default sign in page to be the authentication picker page.


This is usually not ideal since we’re migrating users from Windows to SAML. Since we want Windows Authentication enabled for the crawler, we can force users to use SAML by changing the sign in page to /_trust/default.aspx.


One thing we will run into is the People Picker resolving both SAML and Windows Claims. This is not ideal since these are two different users to SharePoint which will cause end user confusion among other things.


We can hide the Windows results from people picker by changing the Active Directory Claim provider. The PowerShell will make this change farm wide. This would mean no Windows Claim results. We can work around that by adding those claims using PowerShell.

 
$cpm = Get-SPClaimProviderManager 
$adcp = $cpm.ClaimProviders | ? {$_.displayname -eq "Active Directory"} 
$adcp.IsVisible = $false 
$cpm.Update() 

 

Extending the Web Application

The other option would be to extend the web application. Depending on the existing web applications and host headers, we might have to recreate the web application due to the Zone’s names.

Consider the following scenario:

We have a web application that has the following host name in the default zone: https://contoso.com

We would still like to use https://contoso.com, so extending would need a different name. Ideally, we would want an internal name for the default zone.

Host header

Zone

Authentication

http://WFE1:999

Default

Windows (NTLM or Kerberos)

https://contoso.com

Intranet

SAML

Users would be signing into the Intranet but the starting address (crawl target) would use the default zone. To make this happen, we would need to recreate the web application.


We don’t need Windows enabled since it’s enabled in the Default zone. This warning a good reminder that we need Windows Authentication for the crawler.



Click OK to extend the web application. Don’t forget to bind a certificate in IIS for the newly created site.



 

Leave a Reply

Your email address will not be published. Required fields are marked *