For various reasons getting a claims based authentication web application up and working correctly with both an identity claim and a role claim has been troublesome to say the least. So I’m going to share here the steps just around creating the claims and the SPTrustedIdentityTokenIssuer.
1. Create the identity claim:
$map = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
2. Create the role claim:
$map2 = New-SPClaimTypeMapping -IncomingClaimType ” http://schemas.microsoft.com/ws/2008/06/identity/claims/role ” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
3. Include BOTH claims when creating your SPTrustedIdentityTokenIssuer:
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS v2” -Description “ADFS v2” -Realm “yourRealmName” -ImportTrustCertificate $yourCert -ClaimsMappings $map,$map2 -SignInUrl “https://urlToYourAdfsServer/adfs/ls” -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
One of the keys here is that you need to do this WHEN you create your token issuer, you can’t add it after the fact. This is one of the limitations of SPTrustedIdentityTokenIssuers that I will discuss in another post.