Migrate Users (Move-SPUser) when moving from Windows to SAML/FBA

When adding another authentication provider to a web application like ADFS(SAML) or FBA(LDAP), SharePoint sees these users and roles(groups) as entirely different users and groups than Windows counterparts. The backend Active Directory might be the same along with usernames and passwords but to SharePoint these are different users.

Different Users, Different Permissions

I've deployed ADFS to a web application. I have added both my ADFS and Windows accounts to the site collection. The UserInfo table shows as two different users.

One is a site collection administrator but the other one is not.

What's the difference?

The users will experience different…

  • User Profiles
  • My Sites
  • Permissions(users will report random access denied)
  • Alerts
  • Personal Views

People picker will also show two different accounts. This will further confuse end users on which account is correct.

The Best Practice

Migrate the farm to utilize one type of authentication. Mixed authentication can be done but only for a subset of users. If you're utilizing ADFS, I suggest checking out my previous post on how to migrate to ADFS from Windows claims.

If you're wanting to keep Windows Authentication but need something like SAML for working away from the office, I would suggest checking out Web Application Proxy (WAP). This will not require SharePoint to migrate any of the users. The SAML authentication happens at WAP then translate the token to Kerberos for SharePoint.