SharePoint 2016 MIM and SAML/FBA User Profiles


There is not much out there about MIM and SharePoint 2016 with FBA or SAML user profiles.  Using Active Directory Import is still the same as it was in 2013.   Below we will be going through how to set this up for SAML(ADFS) and MIM.
This guide assumes the environment has been setup from these steps at https://technet.microsoft.com/en-us/library/mt637055(v=office.16).aspx

Why should we do this?

The account name for user profiles are important and what is used to get the profile. Windows Authentication user profiles are just "domain\username" for the account name. When SAML or FBA users invoke the user profiles, the profile service will search for the complete claim(example: "i:05.t|adfs30|User1"). If the user profile is not there, a stub profile will be created. This will give the user two profiles. The main one with SAML/FBA will NOT be sync'd since we would need configure MIM know the claim prefix.

 

1.       Open MIM client then Metaverse Designer.  Select "person" then "Add Attribute".


New Attribute button.


Type in "SPS-ClaimID" for Attribute Name


Click OK

2. Open the ADMA then Configure Attribute Flow. Select user/person


 

a.       Map your Claim identifier for your SAML users to SPS-ClaimID.  The direction should be Import and Direct.


b.       Click "New".


Find SPS-ClaimProviderType and SPS-ClaimProviderID in MetaVerse object type.  Below is PowerShell to find your SAML Identity Claim.

$tips = Get-SPTrustedIdentityTokenIssuer

foreach($tip in $tips)

{

$name = $tip.Name

$claims = $tip.ClaimTypeInformation


foreach($claim in $claims)

{


If($claim.IsIdentityClaim -eq $true)

{


Write-Host -ForegroundColor DarkGreen "The Identity Claim is listed below for $name"


$claim } }}

 


Select "Advanced" for "Mapping type" and "Import" for Direction.  Click New. 

The constant value SPS-ClaimProviderID will be the name of your SAML provider when you created it. 

SPS-ClaimProviderType will be "Trusted" if you're using a Trusted provider.


3.       Open SharePoint MA(SPMA). Click on Select Attributes.  Check the box for SPS-ClaimID.

4.      Configure Attribute Flow. Select user/person.

a.       Map SPS-ClaimID to SPS-ClaimID.  The direction will be export and Direct.  Click new. 

I'm using UPN for my environment.  This will be the identifier claim which could be email or samaccountname(see above for PowerShell).


5.       Run a full sync


Comments (2)

  1. AB says:

    Understatement of the year ‘not much out there about MIM and SharePoint 2016 with FBA or SAML ‘. You are my hero, thanks!

Skip to main content