Claim type Role

Jul 4, 2012 at 1:21 PM

Has anyone an example how I get Roles ( into the AttributesDefinitionList. In a way that I can search for Groups in AD (ADFS). Thanks and have a nice day!

Jul 4, 2012 at 2:48 PM

With the claim provider you can already search AD groups if the trust contains a claimtype mapping with the type
If it is required for you to map AD groups to claim type in your trust, then you must inherit the claim provider and define AttributesDefinitionList as follows for the group:

AttributesDefinitionList = new List<AttributeHelper>
 [additional claim types],
 new AttributeHelper{LDAPAttributeName="sAMAccountName", LDAPObjectClass="group", claimType="", claimEntityType = SPClaimEntityTypes.FormsRole, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.AccountName},


Nov 29, 2012 at 8:09 PM

I have modified the attribute list for test purpose , and replace "" with "" . The people picker is able to search for the group , but when i grant the membership to this group and try to login to SharePoint with member user i am getting access denied error .

Group Name :- PHY-DEPT
User :- PHY_USER1 , who is the member of the above group .

Without this custom provider if i search the group (PHY-DEPT) and give the access based on role , everything works fine .

Not sure that , what am i missing .

Nov 30, 2012 at 7:09 AM

You need to check 2 things:

  • Make sure that the value resolved with the people picker matches the value in the SAML token of the user, because SharePoint does a pure string comparison, so "contoso\groupname" != "groupname" != ""
  • Confirm that the group claim in the SAML token of the user has the type "", and make sure this type is the same in the SharePoint trust (which is true if you used SameAsIncoming property in New-SPClaimTypeMapping cmdlet)
Nov 30, 2012 at 2:56 PM

Thanks , its working now .