Configure permissions based on Group Claims for ADFS-Users

Hello,

i currently stuck with following scenariao:

I have SharepointFarm (2013) hosting Webapp with 2 different Zones - one for internal access (WindowsAuth) and another Zone for external access  with trusted identity provider - ADFS.

External-ADFS User uses certificates for authentication - this works fine so far. Sure i need to give the adfs-user separat permission (AD and ADFS-User are not the same).Finally ive read that it is possible to use the AD-Group-Membership to gain permissions in Sharepoint. Great! So i dont need to put every single (ADFS) user separatly.

I use LDAPCP from Codeplex to resolve the correct group in Sharepoint.

But it still wont work - a single user can join and have access based on his permissions, a new user (only member of AD Group/ AD Group(ADFS) is present in Sharepoint) cant access any of the documents.

What do i need to configure? Ive tried "Send group membership as Claim" in ADFS.

Any advice? Please let me know if you need more details on Platform, Configuration of ADFS, Claimsmapping in SharePoint.

Thank you for a quick reply.

August 18th, 2015 8:39am

Hi Kurtmueller,

When you set the claim rules relaying party trust, did you use Token Groups unqualified names from LDAP attributes to map the Role claim?

If not, please edit the claim rules to use Token Groups unqualified names to Role claim.

And then create the issuer with PowerShell.

Please refer to the steps in the link below:

http://www.sharepointsecurity.com/sharepoint/sharepoint-security/adfs-not-resolving-active-directory-security-groups-in-sharepoint/

Thanks,

Victoria

Free Windows Admin Tool Kit Click here and download it now
August 20th, 2015 3:51am

Hello Victoria,

thank you for your reply. I followed the steps described in the link above several times on different machines.

I use Token Groups unqualified names mapped to Role claim. The issuer and trusted root auhtority are both created with powershell.

I have additional mapping on emailadress as described in many other scenarios too.

Anyway, i need to give the single ADFS user specific rights on sitecollection in order to gain him acces. The group membership count nothing.

Ive read a lot about Caching of Security Tokens and tried the workarounds too.

Best regards

Kurt

August 20th, 2015 9:35am

Hi Kurt,

For this issue, I recommend to enable verbose logging for SharePoint and enable event logging for ADFS, and then check the error message for further research.

Thanks,

Victoria

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 9:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics