Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application

For various reasons getting a claims based authentication web application up and working correctly with both an identity claim and a role claim has been troublesome to say the least.  So I’m going to share here the steps just around creating the claims and the SPTrustedIdentityTokenIssuer.

1. Create the identity claim:

$map = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

2. Create the role claim:

$map2 = New-SPClaimTypeMapping -IncomingClaimType ” http://schemas.microsoft.com/ws/2008/06/identity/claims/role ” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

3. Include BOTH claims when creating your SPTrustedIdentityTokenIssuer:

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS v2” -Description “ADFS v2” -Realm “yourRealmName” -ImportTrustCertificate $yourCert -ClaimsMappings $map,$map2 -SignInUrl “https://urlToYourAdfsServer/adfs/ls” -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”

One of the keys here is that you need to do this WHEN you create your token issuer, you can’t add it after the fact.  This is one of the limitations of SPTrustedIdentityTokenIssuers that I will discuss in another post.

One thought on “Creating both an Identity and Role Claim for a SharePoint 2010 Claims Auth Application

  1. I am trying to map an incoming OpenAM claim as such:
    $map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/claims/EmailAddress” -IncomingClaimTypeDisplayName “EmailAddress” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”

    I receive the following error:
    This method can only convert identity claims, and only when a logical conversion exists.

    Any Ideas where to look?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s