locked
ADFS Trusted Provider for SharePoint 2016 RRS feed

  • Question

  • I have setup ADFS as a Trusted Provider for 2013 and it worked like a champ. I am not trying to set it up for a 2016 development farm, but after the PowerShell configuration things are a little different. 

    I’m setting up my SP2016 test environment, and implementing ADFS as the trusted claims provider for the main web app. In 2013 it allowed me to choose attributes for Claim User Identifier, Claim Provider Identifier, and Claim Provider Type. However, after setting up the Trusted Claim provider for the web app, and doing a Full Sync attributes are not showing up for me to update these managed user properties.

    I also remember talking about the Sync Settings in Central Admin being different. Where in 2013 I was doing a “Use SP Profile Sync,” but in 2016 that option is not available because the sync is configured differently than in 2013.

    Do you know why these attributes would not show up, or how I can get them to show up and/or have any further advice to setting up ADFS as a trusted provider for specifically for SP2016?

    NOTE – the sync is pulling in the users as ADFS users which is what I want. However, I’m not currently able to login with ADFS. It sends me in a loop.


    Tuesday, June 27, 2017 2:16 PM

Answers

  • Hi again.

    You need to type it in manually in the Attribute field, so just type "mail" and choose Add and your good to go :).


    BR. /Philip
    • Marked as answer by SharePointAU Wednesday, June 28, 2017 4:39 PM
    Wednesday, June 28, 2017 1:54 PM

All replies

  • The Profile properties will be there by default. You can set the properties in the Manage User Profile Properties. Have you done that piece?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 28, 2017 2:22 AM
  • Thank you for your reply. 

    Yes, that is exactly what I'm asking about. When I set this up in my previous farm the attributes were auto populated after a full sync, but with SP2016 the attributes are not populated (see screenshot of "Claim User Identifier" below. I'm wondering if I have missed something.

    Claim User Identifier screenshot

    NOTE: When you "Manage User Profiles" and find a user email, phone, etc. all show. 


    • Edited by SharePointAU Wednesday, June 28, 2017 12:03 PM asked a question
    Wednesday, June 28, 2017 12:02 PM
  • As far as I recall, the "Claim User Identifier" property has always been something you need to map manually which is specific to the identity claim you have specified for on the Trusted Claim Provider / Trusted Identity Token Issuer.
    Since it needs to be unique the most commonly used as i have seen is either the "mail" or the "userPrincipalName" attribut when syncing against Active Directory.

    We ourselves are using UPN.

    BR. /Philip
    Wednesday, June 28, 2017 1:06 PM
  • Philip, 

    I agree 100%, and we are using mail. However, my issue is that the attributes are not showing (please see screenshot above). I'm wondering if I have configured something wrong or missed a step, because when I configured this for SP2013 the attribute dropdown was populated and I was able to select "mail" from the list. 

    But with my SP2016 configuration the list is not populating. What have I missed?

    Wednesday, June 28, 2017 1:49 PM
  • Hi again.

    You need to type it in manually in the Attribute field, so just type "mail" and choose Add and your good to go :).


    BR. /Philip
    • Marked as answer by SharePointAU Wednesday, June 28, 2017 4:39 PM
    Wednesday, June 28, 2017 1:54 PM
  • thanks Philip. I must have been too deep in the weeds. 

    I couldn't make myself believe that if I typed it in it would work. But it seems to have worked just fine. 

    Thank you!

    Wednesday, June 28, 2017 4:40 PM
  • Hi again.

    You need to type it in manually in the Attribute field, so just type "mail" and choose Add and your good to go :).


    BR. /Philip
    I thought this answer was rubbish at first, but lo and behold, you just copy the attribute name from Active Directory, like "userPrincipalName" and type it in the box and click Add (you may have to remove the one that's already there.
    Monday, October 23, 2017 4:01 PM