none
Configure SP2016 to Use MIM 2016 for UPS with Claims-Based (ADFS) Authentication RRS feed

  • Question

  • I have scoured the Internet, and yet have not been able to find any information on how to set up SharePoint 2016 to use Microsoft Identity Manager (MIM) 2016 for User Profile Synchronization, along with Claims Based Authentication (ADFS 4.0) for user authentication. It seems that all of the documentation that is online regarding setting up MIM is for NTLM, as it sets the user login value(s) to the <DOMAIN>\<USERNAME> format, instead of Claims-Based Authentication format. I set up MIM 2016 to sync User Profiles with SharePoint 2016 just like it seems everyone else does: By using the PnP-Tools\UserProfile.MIMSync XMLs and PowerShell Module (https://github.com/SharePoint/PnP-Tools/tree/master/Solutions/UserProfile.MIMSync). It is the only method that I have found for setting this up. Why does it only allow for NTLM authentication though? How do I use Claims-Based Authentication for these profiles instead?

    The ADFS documentation is similarly restricted. It seems only to include how to configure User Profile Synchronization using ADFS as the Active Directory Import source. We need to use MIM instead of AD Import though for the following three reasons: 1) we have more than one AD Forest, 2) we would like to sync user profile changes made in SharePoint back to AD, and 3) we need to filter the AD objects that we import into SharePoint.

    So, how do I import the User Profiles using MIM in such a way that they will be tied to the correct account when you log in via ADFS? I assume it has to do with attribute mapping, but I have no idea exactly which attributes need to be mapped to what in MIM in order for the ADFS logins to recognize the existing User Profile.

    Wednesday, January 24, 2018 12:12 AM

Answers

  • This is what I was trying to do: https://blogs.technet.microsoft.com/adamsorenson/2018/01/31/sharepoint-2016-mim-and-samlfba-user-profiles/ It works.
    • Marked as answer by Evan T Friday, February 23, 2018 7:29 PM
    Friday, February 23, 2018 7:29 PM

All replies

  • Claims based auth for MIM is not supported:

    https://technet.microsoft.com/en-us/library/jj863242%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    FIM and hence MIM was designed with the following assumption: all portal users would have an AD account and so the user exists inside AD and inside the MIM Service database (complete with the SID). So it does use NTLM and can also use Kerberos, but it can't use Claims Based Authentication because of this assumption.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Friday, February 23, 2018 5:42 PM
  • This is what I was trying to do: https://blogs.technet.microsoft.com/adamsorenson/2018/01/31/sharepoint-2016-mim-and-samlfba-user-profiles/ It works.
    • Marked as answer by Evan T Friday, February 23, 2018 7:29 PM
    Friday, February 23, 2018 7:29 PM