locked
Sharepoint 2013 Web Site / ADFS 2.0 / SAML RRS feed

  • Question

  • Hi all, I am looking for some feedback on what I should be looking at to resolve an issue I am having with a SharePoint site that has been set up to use our ADFS 2.0 system. Here's the background. A SharePoint Web Application has been set up to use claims based authentication so that we can use our ADFS system to send the SP site a token with a claim of 'emailaddress' and 'role' for authentication. Here's a link that was used to set this up: https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/ . Once that was set up, I went into the SharePoint site and added my user account to the list of users. When I did that, it showed three users, one was my account in Active Directory, the second was SAML Provider role, the third was the SAML Provider emailaddress. This meant to me that the SP site would take the AD account or either or the two claims that would be sent in from ADFS. I added all three accounts to the Site Collection administrators just to get things going. When I navigate to the SP site, it comes back with a drop down for windows authentication and SAML provider. Windows authentication works but when I choose SAML provider, it always comes back with 'Sorry, this site hasn't been shared with you' and the url changes to the site name with AccessDenied in it. I'm more of an ADFS guy so I turned on logging in ADFS and saw where it assembles a security token with email address and role in it that gets sent to SharePoint. 

    Knowing all this, does anyone have an idea of why this is happening and where I should tell my SharePoint tech to be looking? Any feedback would be greatly appreciated. Thanks.

    Thursday, February 18, 2016 2:04 PM

Answers

  • Thanks for the feedback. I've got the SharePoint site and ADFS working now. There's one last thing you have to set up correctly in the SharePoint to get this to work when you use 'emailaddress' as the claim. When adding a user to the SharePoint site, you type in the users name from Active Directory, like rburgundy, and when you do that, two entries show up. When you hover over those two entries, you can see one is the AD entry and the other is the SAML email address claims entry. So I picked the SAML email address entry.  When you test the site using the SAML email address, it comes back with 'Sorry this site is not shared with you'. The fix is when you add the user to the SharePoint site, you have to add their complete email address, rburgundy@kvwn.com, instead of just their AD name, rburgundy.  Once you do this, and you have done all of the other steps from  https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/ , you can get access to the SharePoint site using the SAML provider. Sweet!!

    • Marked as answer by zBushman Wednesday, February 24, 2016 12:26 PM
    Tuesday, February 23, 2016 3:21 PM

All replies

  • You'll want to implement LDAPCP. This will allow you to resolve users and groups from Active Directory based on the SAML claims that you're sending to SharePoint from ADFS. Note that if you're using Token-Groups - Unqualified-Names, you will want to remove the "{domain}\" from the prefix in the LDAPCP configuration settings.

    Is there any particular reason you're using SAML over Windows NTLM or Kerberos?


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, February 18, 2016 3:31 PM
  • Thanks for the feedback. So it seems that you understand where I am at this point. The big picture is that I wanted to see if I could get this SharePoint/ADFS integration to work internally so that we could then expose this site to the internet and have a 3rd party access the site via SSO by way of their ADFS system. As I began setting this up, I started having questions about how that external access would work. Is my approach of testing this internally first before exposing it to a 3rd party the right way to do this? It'll be interesting to determine how a request from a 3rd party will come into the SharePoint site, get redirected to our ADFS system and then ADFS routes the request back to the third party ADFS system to pick up a claims token, and then get redirected back to our SharePoint site. At that point, the one claim in the token will be 'emailaddress'. Can a third party user's email address be allowed into our SharePoint site? Just trying to figure this all out. Any help appreciated.    
    Thursday, February 18, 2016 3:42 PM
  • I see what your goal is. For 3rd parties, you won't get the benefits of LDAPCP since you cannot connect to their Active Directory to resolve users. I think your approach is correct, and also what you're seeing is that when you add other claims (e.g. role claim) that matches your username, you won't be able to access it as SharePoint is unable to understand that your real claim is the emailaddress claim. Your partner organizations will still be able to fill out a role claim with their information as SharePoint is configured to accept it and is unable to validate user input.

    This is more or less a downside of using SAML, but the only good option for federating/allowing external user access.


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, February 18, 2016 3:46 PM
  • Let me ask this then. To simplify things for the internal test, I'll just configure SharePoint and ADFS to use a single claim; emailaddress. Going back to the original issue where when I select SAML for authentication from the dropdown list on the initial connection to Sharepoint, can I get access to the SharePoint site without using LDAPCP and if yes, any ideas on how I would do that? When I open up access to the SP site to the 3rd party, do I just add the 3rd party's user's emailaddress to the SharePoint site's Site Permissions, i.e.; rburgundy@thirdparty.com ?
    Thursday, February 18, 2016 4:19 PM
  • That would be correct, just the EmailAddress value.

    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, February 18, 2016 4:20 PM
  • Thanks for the feedback. I've got the SharePoint site and ADFS working now. There's one last thing you have to set up correctly in the SharePoint to get this to work when you use 'emailaddress' as the claim. When adding a user to the SharePoint site, you type in the users name from Active Directory, like rburgundy, and when you do that, two entries show up. When you hover over those two entries, you can see one is the AD entry and the other is the SAML email address claims entry. So I picked the SAML email address entry.  When you test the site using the SAML email address, it comes back with 'Sorry this site is not shared with you'. The fix is when you add the user to the SharePoint site, you have to add their complete email address, rburgundy@kvwn.com, instead of just their AD name, rburgundy.  Once you do this, and you have done all of the other steps from  https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/ , you can get access to the SharePoint site using the SAML provider. Sweet!!

    • Marked as answer by zBushman Wednesday, February 24, 2016 12:26 PM
    Tuesday, February 23, 2016 3:21 PM
  • Hi zBushman,

    Since you have found the solution, please mark your reply as answer.

    It will be helpful to others who encounter the same problem.

    Best Regards,

    CY


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, February 24, 2016 1:26 AM