sharepoint 2013 adfs 2.0 oam claims auth - role not being read.


  • we are using OAM as or idp

    We are trying to SSO to an SP that has a sharepoint claims based SSO.  running on SharePoint 2013 and ADFS 2.0

    They have 2 other customer working with their solution - but they both use we know their solution works.

    They are using a claims model, so do NOT create a user in their solution  We send

    email address and role

    We can get the user authenticated to SharePoint

    by setting up a transform on the name:id

           Enter a name for the Claim Rule
           Select NameID as the Incoming Claim Type
           Select Email as the Incoming name ID format
    o      Pass through all claim values if you want to accept any email addresses
    o       Pass through only claim values that match a specific email suffix value if you want to only accept a specific set of email    addresses
         Click Finish
         The list of claim rules will be displayed

    This gets the user authenticated to sharepoint.

    But the Role information is not being consumed by sharepoint - it is in the saml assertion as

    <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                    <saml:AttributeValue xmlns:xs="" xsi:type="xs:string">ks_ins_users_mod,KS_INS_DEVLPRS_MOD,domain user</saml:AttributeValue>

    How do we get sharepoint to use this?


    Friday, March 10, 2017 8:23 PM

All replies

  • Hi,

    We are currently looking into this issue and will give you an update as soon as possible.

    Best Regards,

    Dean Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, March 14, 2017 1:53 AM