Brad,
Like Clayton said, there two different issues in your question.
- authentication
- user profile synchronisation
If we look at authentication. The traditional (before ADFS) config to support authentication from multiple domains would be to create a trust between domains. This required a VPN tunnel and multiple ports to be opened between the two domains. And like your
scenario for political reasons wasn't always a possibility. With the introduction of ADFS in Windows 2003 R2 the amount of ports needed to be opened was reduced to one (443) and since the traffic was over SSL a dedicated VPN was no longer required.
ADFS (2.0 is the current version) provides two scenario's for SharePoint 2010
- web sso
- federated web sso
Web Sso creates a single signon functionality betwen different SSL URLs for external (and possible internal) employees. With Web SSO we're still talking about a single single domain scenario.
Federated Web Sso creates a single signon functionality between different SSL URLs for different domains. This creates the following scenario: The Sharepoint 2010 environment in Domain A is accessed by a user who is loggod on with his domain account
in domain B. The user doesn't get prompted for his credentials. Instead the ADFS 2.0 infrastructure handles authentication for him and provides him with a claims token to access the sharepoint environment.
The second piece of the puzzle (there are more then two i can assure you) is user profile synchrinzation.
When you are working with SharePoint Server and not Foundation, we're speaking about two profiles.
- SharePoint Foundation profile
- SharePoint Server profile
A Sharepoint Foundation profile gets created in each site collection once you logon to the site collection. The profile looks up information in AD about the user who's logging on. If you're working with ADFS 2.0 no information can be found in AD
so only the claims provided will be shown in this profile. The profile for the same user can be different for two different site collections.
Once you configure SharePoint Server User Profile Synchronization the SharePoint foundation profile get's deprecated. The User profile synchronization will sync AD information to SharePoint. There are two timer jobs that sync this information to the SharePoint
foundation profiles in the different site collections.
So after a lot of trail and error i found out that the key to configuring the User Profile syncronization is how you configure the Connection (use your Identity Provider to connect to the domain) and you'll also have to adjust a profile mapping
(claims ID should map to the unique claims mapping of the SpTrustedIdentityTokenIssuer). Because like Clayton said, if you only configure the User Profile sync to connect to AD you'll end up with two different profiles for the same AD user (as specified above)
So since i was unable to find any documentation on how i should configure this i writing a
complete step by step guide on how you should configure this (i have got it working for the web SSO). You can find it on
my blog.
Marc
