Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application

  • Article

For various reasons getting a claims based authentication web application up and working correctly with both an identity claim and a role claim has been troublesome to say the least.  So I'm going to share here the steps just around creating the claims and the SPTrustedIdentityTokenIssuer.

1. Create the identity claim:

$map = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

2. Create the role claim:

$map2 = New-SPClaimTypeMapping -IncomingClaimType " https://schemas.microsoft.com/ws/2008/06/identity/claims/role " -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

3. Include BOTH claims when creating your SPTrustedIdentityTokenIssuer:

$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS v2" -Description "ADFS v2" -Realm "yourRealmName" -ImportTrustCertificate $yourCert -ClaimsMappings $map,$map2 -SignInUrl "https://urlToYourAdfsServer/adfs/ls" -IdentifierClaim "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

One of the keys here is that you need to do this WHEN you create your token issuer, you can't add it after the fact.  This is one of the limitations of SPTrustedIdentityTokenIssuers that I will discuss in another post.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    September 09, 2010
    What if I have multiple Roles?  When I try to add another role I get an error message stating " New-SPTrustedIdentityTokenIssuer : An item with the same key has already been added. " Using your example I would add [ $map3 = New-SPClaimTypeMapping -IncomingClaimType " schemas.microsoft.com/.../role " -IncomingClaimTypeDisplayName "Role2" -SameAsIncoming ] and then add $map3 to the -ClaimsMappings section of the " New-SPTrustedIdentityTokenIssuer " command. Any thoughts?

  • Anonymous
    October 22, 2010
    @Stephen, It sounds like you need to remove your existing Id Issuer first. You can't update the mappings once it's created. Use Remove-SPTrustedIdentityTokenIssuer to remove it, then try adding it with all 3 mappings. Also, see the "Planning Considerations..." post at blogs.technet.com/.../planning-considerations-for-claims-based-authentication-in-sharepoint-2010.aspx.

  • Anonymous
    February 14, 2011
    I got ADFS and SharePoint 2010 working with the Identity and Role claims you have mention above.  However I can't figure out one thing.  When I add a single user from the AD, I can log in with that user and everything works fine.  The problem is when I try to add an AD group such as Domain Users, none of my AD users are able to log in.  Any ideas?

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    March 01, 2015
    I recently witnessed a problem that proved to be fairly difficult to track down so I thought I would