Claim type Role

Jul 4, 2012 at 1:21 PM

Has anyone an example how I get Roles (http://schemas.microsoft.com/ws/2008/06/identity/claims/role) into the AttributesDefinitionList. In a way that I can search for Groups in AD (ADFS). Thanks and have a nice day!

Coordinator
Jul 4, 2012 at 2:48 PM

With the claim provider you can already search AD groups if the trust contains a claimtype mapping with the type http://schemas.xmlsoap.org/claims/Group.
If it is required for you to map AD groups to claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/role in your trust, then you must inherit the claim provider and define AttributesDefinitionList as follows for the group:

AttributesDefinitionList = new List<AttributeHelper>
{
 [additional claim types],
 new AttributeHelper{LDAPAttributeName="sAMAccountName", LDAPObjectClass="group", claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role", claimEntityType = SPClaimEntityTypes.FormsRole, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.AccountName},
};

 

Nov 29, 2012 at 8:09 PM

I have modified the attribute list for test purpose , and replace "http://schemas.xmlsoap.org/claims/Group." with "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" . The people picker is able to search for the group , but when i grant the membership to this group and try to login to SharePoint with member user i am getting access denied error .

e.g
Group Name :- PHY-DEPT
User :- PHY_USER1 , who is the member of the above group .

Without this custom provider if i search the group (PHY-DEPT) and give the access based on role , everything works fine .

Not sure that , what am i missing .


Coordinator
Nov 30, 2012 at 7:09 AM

You need to check 2 things:

  • Make sure that the value resolved with the people picker matches the value in the SAML token of the user, because SharePoint does a pure string comparison, so "contoso\groupname" != "groupname" != "groupname.contoso.com"
  • Confirm that the group claim in the SAML token of the user has the type "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and make sure this type is the same in the SharePoint trust (which is true if you used SameAsIncoming property in New-SPClaimTypeMapping cmdlet)
Nov 30, 2012 at 2:56 PM

Thanks , its working now .