SharePoint SAML Migration Guide – Part 1 Planning
SharePoint SAML Migration Guide – Part 2 Trusted Identity
SharePoint SAML Migration Guide – Part 3 Migration
SharePoint SAML Migration Guide – Part 4 Web Applications
SharePoint SAML Migration Guide – Part 5 User Profiles
The web application decision depends on a few different things. We need to keep in mind that we need the default zone to have Windows Authentication enabled for the crawler. This comes with some unintended issues that we can run into.
Authentication Picker
Enabling more than one authentication in the same zone will cause SharePoint’s default sign in page to be the authentication picker page.
This is usually not ideal since we’re migrating users from Windows to SAML. Since we want Windows Authentication enabled for the crawler, we can force users to use SAML by changing the sign in page to /_trust/default.aspx.
One thing we will run into is the People Picker resolving both SAML and Windows Claims. This is not ideal since these are two different users to SharePoint which will cause end user confusion among other things.
We can hide the Windows results from people picker by changing the Active Directory Claim provider. The PowerShell will make this change farm wide. This would mean no Windows Claim results. We can work around that by adding those claims using PowerShell.
$cpm = Get-SPClaimProviderManager $adcp = $cpm.ClaimProviders | ? {$_.displayname -eq "Active Directory"} $adcp.IsVisible = $false $cpm.Update()
Extending the Web Application
The other option would be to extend the web application. Depending on the existing web applications and host headers, we might have to recreate the web application due to the Zone’s names.
Consider the following scenario:
We have a web application that has the following host name in the default zone: https://contoso.com
We would still like to use https://contoso.com, so extending would need a different name. Ideally, we would want an internal name for the default zone.
Host header |
Zone |
Authentication |
http://WFE1:999 |
Default |
Windows (NTLM or Kerberos) |
https://contoso.com |
Intranet |
SAML |
Users would be signing into the Intranet but the starting address (crawl target) would use the default zone. To make this happen, we would need to recreate the web application.
We don’t need Windows enabled since it’s enabled in the Default zone. This warning a good reminder that we need Windows Authentication for the crawler.
Click OK to extend the web application. Don’t forget to bind a certificate in IIS for the newly created site.