SharePoint SAML Migration Guide – Part 1 Planning
SharePoint SAML Migration Guide – Part 2 Trusted Identity
SharePoint SAML Migration Guide – Part 3 Migration
SharePoint SAML Migration Guide – Part 4 Web Applications
SharePoint SAML Migration Guide – Part 5 User Profiles
The User Profiles are usually overlooked when migrating to SAML. This will require a new connection to be recreated if you’re using Active Directory Import (ADI) or User Profile Synchronization Service (2013/2010).
Recreating the connection will require some documentation before deleting the old connection. FQDN of forest connection, Service Account, Connection Filter/LDAP Filter, OU Selection, User Profile Property Mappings
ADI or User Profile Synchronization Service
Back in Part 1 of this guide we decided on a claim identifier. This is key when setting up your user profiles. First we’re going to create a new connection and give it a name.
Make sure to select Trusted Claims Provider Authentication as the Authentication Provider Type. If you have more than one provider, select the correct one for Authentication Provider Instance.
After creating the connection, we need to map the claim identifier. Back in the User Profile Service Application, we need to select Manage User Properties.
Click on the drop down for Claim User Identifier and Edit.
I’m using email as my identifier, so I’m entering in the AD property of ‘mail’. Adjust this to match your identifier. Click Add. Repeat for other connections/domains.
Click OK and kick off a full sync.
Users with a claim identifier will be imported and shown now as a SAML user profile
Using Full MIM with SharePoint 2016/2019? Check out my post here about setting this up. https://adamsorenson.com/sharepoint-2016-mim-and-samlfba-user-profiles/
Oauth with Roles/Group membership not working? Check out my post here about that subject: https://adamsorenson.com/saml-roles-and-sharepoint-20162013-with-oauth/
I am not sure if it is appropriate on this blog – but I going from ADFS back to NTLM with Kerberos. Is there a way to script moving all “roles” from adfs back to NTLM. I was able to do it for users with movespuser but I cant do it with ad groups
This would be with Move-SPUser with the group. I believe you can use that but we would be moving from a role claim to a SID role claim. I don’t know of any script out there that will do the look up that you’re looking for.