ADFS SharePoint 2013 Portal User Permission issue using Claims based authentication SAML

I have configured SAML token service for sharepoint 2013 portal using ADFS in my dev environment for claims based authentication. it is working proper as needed.

I am able to login using AD user but there is mismatch of permission assigned to user in portal.

Example: i have a user1 account which have been added in sharepoint 2013 portal as site members.

whenever i login using user1 account in portal, user1 can see site setting actions including all setting under it which is not supposed to be happened as given site member permission. same thing is happening for all users if i add users with full read permission to sharepoint portal under user policy in CA.

How can i fix user permissions for AD users to sharepoint poratl? can i assign permission to users in sharepoint portal which using SAML authentication?

Thanks,

Deepak Patel

May 21st, 2015 9:30am

Hi,

For your issue, it is a normal user permission issue. Please don't use User Policy to grant permission to end users, instead you should use the site/site collection permission settings to manage user permission.

A User Policy allows a Farm Administrator to grant or deny access for a set of users to all site collections contained within a web application. Permissions applied using a User Policy cannot be over-ridden at the individual site collection, providing Farm Administrators with the ability to supercede local permissions when necessary.
http://www.mssharepointtips.com/tip.asp?id=1151

User policy usually to be used for grant or deny permission for service accounts. Please remove the Full Read permission in User Policy, and after this, the site members permission will take effect. SAML based authentication has no impact on users permission configuration in SharePoint.

Best Regards,

Lisa Chen

Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2015 3:24am

Hi Lisa,

 I removed full read permission from user policy and added saml users account i.e. user1 in site member group using site setting option in portal but still it is not fixing issue. i'm getting error like "sorry, site hasn't been shared with you" when i login portal using site member user account.

let me know if you can guide me more here.

Thanks again,

Deepak 

May 22nd, 2015 9:23am

Lisa,

I could not solve my issue yet. let me know if you can help me out.

as i said, i have configured SharePoint portal using SAML claims based authentication but users under site members group are not able to log in portal. they can only able to log in if i add them again under user policy under manage web application under central admin which is not suitable way to add users in portal with permissions.

I need quick help for it if possible.

Thanks,

Deepak

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 2:56pm

Hi Deepak,

The issue you are facing sounds an authorization issue, which should have no relationship with the authentication method. The default zone in SharePoint 2013 is using claim based authentication. No matter you enabled SSO or other SAML based authentication type, there is no need to configure user permission under user policy.

In your environment, I guess there are some lists/library/web parts which have separate permission, and your users cannot access them with site member permissions. As a test, please add one user into the site collection administrators group to see if the user can access site.

Thanks,
Reken Liu

May 28th, 2015 11:33pm

hi Reken,

thanks for helping me but i don't have any extra list or webparts on home page. its simple team site page.

I added test account under site collection administrator as you said under site setting of portal but getting same error "Sorry, this site hasn't been shared with you".

as i said earlier, if i add user to portal through central admin under user policy then user is able to log in sharepoint portal which is not solution for me. i want to add users via sharepoint portal and let them log in portal as their permission assigned.

I am not sure what exact steps are needed to be taken to overcome this issue.

Thanks,

Deepak

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 2:27pm

Reken and Lisa,

issue has been resolved after adding following permission to adfs service account in AD,

  1.        Pre-Windows 2000 Compatible access: only Authenticated Users are member
  2.        Windows Authorization access group: Only Enterprise Domain Controllers are member

Thanks for your help.

Deepak Patel

June 6th, 2015 4:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics