I’m playing a little bit with Sharepoint 2010 and the claims model (probably more posts on this topic will follow) where ADFS v2 (yes, it has shipped in case you missed it) acts as a trusted claims provider for SPS 2010. It is a great scenario which I think will find its use in many organizations, however re-thinking all access and role models for Sharepoint applications might be a tough work at start. More on this approach soon. Right now, a quick configuration tip …
(cc) Tiger Pixel
… if you have defined trusted claim provider in Sharepoint, like ADFS 2 server for example, part of its configuration is a set of claims it can provide to SPS and mapping of these claims. In claim provider properties it looks like this:
PS C:\> (Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server").ClaimTypes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
What if you want to add another one for example “Role”. Nothing simpler – run Powershell and you will find the Add-SPClaimTypeMapping cmdlet which should allow you to do exactly what is requested. Problem is that when you take a look at an example provided in TechNet documentation or the cmdlet help you will get examples, which not necessary fits cmdlet syntax, like this one:
Get-SPTrustedIdentityProvider –Name "LiveIDSTS" | Add-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "PUID" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
What to do then? Simple example how to add new claim mapping to trust provider is presented below:
$map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ti = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server"
Add-SPClaimTypeMapping -Identity $map2 -TrustedIdentityTokenIssuer $ti
Quick check:
PS C:\> (Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server").ClaimTypes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Done !