1. The ClaimProviderName of the Get-SPTrustedIdentityTokenIssuer should be the Name of the custom claims provider. Instructions for how to configure this are at http://blogs.technet.com/speschka/archive/2010/04/28/how-to-override-the-default-name-resolution-and-claims-provider-in-sharepoint-2010.aspx.
2. Make sure that the Name property of your custom provider is NOT the same value as the Name property of the Get-SPTrustedIdentityTokenIssuer. You will need the name of the SPTrustedIdentityTokenIssuer when you are creating the claim for the PickerEntity, so I recommend you add another static string property to your custom claim provder that is the name of the SPTrustedIdentityTokenIssuer. For example, here's what I used in my custom claim provider:
3. When you create a custom claim provider to replace the out of box provider, you are going to want to override the FillSearch and FillResolve methods. In those overrides you will need to create a PickerEntry instance. Normally for these methods I use the CreateClaim helper method; however, if your provider is going to replace the out of the box provider you do not want to use the CreateClaim helper. Instead you should:
a. Use the new SPClaim constructor.
b. Determine if the claim is an identity claim or not. For example, if the identity claim for the SPTrustedIdentityTokenIssuer is email, then you know that if the claim value is an email address it is an identity claim.
c. For an identity claim, the claimType for the new SPClaim constructor should match the identity claim for your SPTrustedIdentityTokenIssuer. For example, if your identity claim is email, then your claimType parameter should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
i. For an identity claim, the EntityType property of the PickerEntity should be SPClaimEntityTypes.User
d. If it is NOT an identity claim, the claimType should be whatever claim makes sense for your application
i. If it is NOT an identity claim, the EntityType property of the PickerEntity should be SPClaimEntityType.WhateverMakesSenseForYourApplication (probably FormsRole in many cases)
e. For the last parameter of the new SPClaim constructor, use the following: SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, SPTrustedIdentityTokenIssuerName)
f. Here’s an example of an identity claim with all of these pieces put together:
myPickerEntity.Claim = new SPClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "speschka@microsoft.com", Microsoft.IdentityModel.Claims.ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, SPTrustedIdentityTokenIssuerName));
IMPORTANT NOTE: If you are the default claims provider for an SPTrustedIdentityTokenIssuer, you should use this method to create the PickerEntity claim irrespective of the type of claim; meaning, use this method whether it's an identity claim, role claim, etc.
1. Add a new property to your claim provider that is the name of the SPTrustedIdentityTokenIssuer where the provider will be used.
2. When you are resolving an identity claim, make sure the EntityType is SPClaimEntityTypes.User
3. Don’t use the CreateClaim helper method; use the new constructor for an SPClaim
4. For the last parameter of the SPClaim constructor, use the SPOriginalIssuerType enum.
Steve,
All your posts have been very helpful. I have configured SharePoint 2010 with ADFS 2.0 and i even got the user profiles mapped to the ADFS claims
social.technet.microsoft.com/…/ac459957-133f-4155-a0da-7099b9505a0a
I still have an issue with the picker. I have read all your posts about the naming resolution and creating a custom claim provider and it's excellent for setting permissions with roles.
But what about assigning a task to an individual user? It requires a unique mapping for a user to be resolved in the picker (username or emailaddress). Is it possible to write a custom claims provider with ldap or should i give it up and stop thinking about web sso and go for ntlm/kerberos claims.
Marc
Hi Steve
Not sure if you check this as it's an old post but here's hoping.
I followed your excellent posts to create a custom claims provider.
Everything works (the user claims get properly resolved and I can add them to groups) until I set it to replace the default provider for my token issuer. At this point the claims are still resolved but clicking OK to add the user to a specific groups causes an error (user may not exist or is not unique).
Have you seen this before or know where I might be going wrong?
I've also put a post up in the forums to see if anyone else ran into this.
social.msdn.microsoft.com/…/5f2e17c6-40e5-465a-a2c2-c69d7a9695f7
Thanks for any help you can give.
-mark
so what about the following scenario:
– We have a seperate WIF STS for authentication for all our users.
– We configured this STS as our SPTrustedIdentityTokenIssuer in Sharepoint.
– This STS only delivers the userid. The user attributes (claims) come from two different backends:
internal users are in one DB, guest users are in the other DB (userid from STS clearly distincts which DB to query) and so we would like to have two different ClaimProviders (or even more later). Both types of users authenticate to the same STS.
So what should we set for ClaimProviderName property of our SPTrustedIdentityTokenIssuer?
in short: how to configure one STS with several ClaimProviders?
Hi Markus, unfortunately that is not possible in this release. Super painful, you have to kill your SPTrustedIdentityProvider and start over. Hopefully they fix this next time around.
Adding additional claims from multiple stores is the role of claims augmentation, which you can also do with a custom claims provider. I would write one or more claims providers that only do claims augmentation and retrieve your custom claim info from the database in it.
Steve
Hi Steve,
thank you for this Blog. For me the most valuable Information on Claims and Sharepoint.
One question:
Is there an easy way to revert back to the empty default ClaimProviderName with Powershell?
$trusted.ClaimProviderName = “” or $trusted.ClaimProviderName=$Null
are not accepted. (Claims Provider does not exist)
The Web Application in my testing environment responds with error "0x8107058a ….not set to an instance of an object" if the Claims Provider is deactiveated.
best regards
—
Markus
http://dichvuketoanlongbien.com/
http://dichvuketoanlongbien.com/a2-96-dich-vu-ke-toan-tron-goi.html
http://dichvuketoanlongbien.com/a2-98-dich-vu-ke-toan-thue.html
http://dichvuketoanlongbien.com/a2-103-dich-vu-bao-cao-tai-chinh.html
http://dichvuketoanlongbien.com/a2-97-dich-vu-quyet-toan-thue.html
http://dichvuketoanlongbien.com/a2-114-dich-vu-ke-toan-tai-29-quan-huyen.html
http://dichvuketoanlongbien.com/i780-dich-vu-ke-toan-thue-tron-goi-tai-bac-ninh.html
http://dichvuketoanlongbien.com/i779-dich-vu-ke-toan-thue-tron-goi-tai-bac-giang.html
http://dichvuketoanlongbien.com/i778-dich-vu-ke-toan-thue-tron-goi-tai-phu-tho.html
http://dichvuketoanlongbien.com/i781-dich-vu-ke-toan-thue-tron-goi-tai-hung-yen.html
http://dichvuketoanlongbien.com/i782-dich-vu-ke-toan-thue-tron-goi-tai-vinh-phuc.html
http://dichvuketoanlongbien.com/i783-dich-vu-ke-toan-thue-tron-goi-tai-hai-phong.html
http://www.trungtamketoan.com.vn/
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-ha-noi.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-tp-hcm.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-quang-ninh.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-duong.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-giang.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-ninh.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-phong.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-nam-dinh.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thai-binh.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thanh-hoa.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-vinh-phuc.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hung-yen.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-phu-tho.html
http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-binh-duong.html
http://www.tosvn.com
http://iketoan247.blogspot.com
http://tailieuveketoan.blogspot.com
http://mauhinhnendep.blogspot.com
http://www.tosvn.com/search/label/Hack%20CF
http://www.tosvn.com/search/label/Hack%20AvatarStar
http://www.tosvn.com/search/label/Hack%20Warcraft-Dota2
http://www.tosvn.com/2014/12/hack-truy-kich-mien-phi-hack-truy-kich.html
http://iketoan247.blogspot.com/search/label/thong-tin-kinh-te
http://iketoan247.blogspot.com/search/label/tin-bai-ve-thue
http://hoclamketoan.edu.vn/
http://hoclamketoan.edu.vn/category/khoa-hoc-ke-toan
http://hoclamketoan.edu.vn/category/dich-vu-ke-toan
http://hoclamketoan.edu.vn/category/hoc-lam-ke-toan
http://hoclamketoan.edu.vn/category/tai-lieu-ke-toan
http://hocketoan360.com/
http://hocketoan360.com/category/khoa-hoc-ke-toan/
http://hocketoan360.com/category/dich-vu-ke-toan/
http://hocketoan360.com/category/tai-lieu-ke-toan/
http://me.zing.vn/zb/u/htdung2281990
http://me.zing.vn/zb/c/htdung2281990/6594341
http://me.zing.vn/zb/c/htdung2281990/1
Hello Steve,
Thanks for the great series on Custom Claims Providers!
I have really stumped Microsoft with a couple of posts to the Partner forums pretaining Custom Claim Providers. I have duplicated these posts to the public forums as well. I was wondering if you could review my posts and provide feedback to my posts.
SharePoint 2010 Custom Claims Provider – How to display AD Groups/SharePoint Roles
social.microsoft.com/…/e5773717-b25d-46d9-bb18-586dc0d8ad48
SharePoint 2010 People Picker Behavior with ADFS20 Custom Claims Provider
social.microsoft.com/…/dd1b3869-a55a-4230-92e3-b438b4bddce5
SharePoint 2010 User Display issues when using ADFS20 Custom Claim Provider
social.microsoft.com/…/13221824-3485-4462-9733-abab3ea908f5
Any advice/insight you can provide would be greatly appreciated!
Thanks for all your post they are absolutely fantastic, and I have recently implemented the End-to-End adfs in a production environment, but is in the same boat as Marc Van Eijk was about the User profile and claims but cannot seem to get his link to work for me.
Marc, could you please update that link so i can use your solution as well?
Hi Why would the name property have to match?
If I have a trustedtokenissuer sts I have to name it in your example sqlclaimsprovider?
After reading through I have developed a custom provider that queiries a database and augments the claims (which |I see in the web part and the sts claim email that I authorise against)
How wouold I change the people picker to search on the email as I do not augment this claim in the custom provider?
Hi Steve
Thanks for a great post but i am getting an error whn i run the $trusted.Update() command it throws an error saying the Update() command cannot run with 0 arguments, can you suggest how to rectify this issue.
Thanks
Vivek
@Markus, it's actually possible to revert back to the default claim provider by using reflection, like this:
$ip = Get-SPTrustedIdentityTokenIssuer XXXX
$ip.GetType().GetField("m_ClaimProviderName","NonPublic,Instance").SetValue($ip, $null)
$ip.Update()
http://www.shopbestgoods.com/
http://www.nike-jordanshoes.com/
http://www.beatsbydreoutlet.net/
http://www.michaelkorsus.com/
http://www.polo-tshirts.com/
http://www.northsclearance.com/
http://www.ralph-laurensale.com/
http://www.gucci-shoesuk2014.com/
http://www.michael-korsusa.com/
http://www.polo-outlets.com/
http://www.ralphslauren.co.uk/
http://www.marcjacobsonsale.com/
http://www.mcmworldwides.com/
http://www.salongchamppairs.com/
http://www.canada-gooser.com/
http://www.burberryoutlet2014.com/
http://www.michaelkors.so/
http://www.hermes-outletonline.com/
http://www.oakley-sunglassoutlet.com/
http://www.north-faceoutlets.net/
http://www.moncler-clearance.com/
http://www.woolrich-clearance.com/
http://www.barbour-jacketsoutlet.com/
http://www.moncler-jacketsoutletonline.com/
http://www.monsterbeatsbydres.net/
http://www.louis-vuittonblackfriday.com/
http://www.lv-guccishoesfactory.com/
http://www.mcmoutlet-jp.com/
http://www.cheapdiscountoutlet.com/
http://coachoutlet.iwopop.com/
http://www.coachsfactoryoutlet.com/
http://www.coach-blackfriday2014.com/
http://www.coach-storeoutletonline.com/
http://www.coach-factorysoutletonline.com/
http://www.coachccoachoutlet.com/
http://www.coach-factories.net/
http://www.coach-pursesoutletonline.com/
http://www.llouisvuitton-factory.net/
http://www.coach-outletsusa.com/
http://www.mksfactoryoutlet.com/
http://www.zxcoachoutlet.com/
http://www.mischristmas.com/
http://www.misblackfriday.com/
http://www.bestcustomsonline.com/
http://www.newoutletonlinemall.com/
http://www.clickmichaelkors.com/
http://www.cmichaelkorsoutlet.com/
http://www.ralphlaurenepolo.com/
http://michaelkorsoutlet.mischristmas.com/
http://mcmbackpack.mischristmas.com/
http://monsterbeats.mischristmas.com/
http://northfaceoutlet.mischristmas.com/
http://mk.misblackfriday.com/
http://coachoutlet.misblackfriday.com/
http://coachfactory.misblackfriday.com/
http://uggaustralia.misblackfriday.com/
http://coachpurses.misblackfriday.com/
http://coachusa.misblackfriday.com/
http://coach.misblackfriday.com/
http://michaelkorss.misblackfriday.com/
http://michaelkors.misblackfriday.com/
http://airmax.misblackfriday.com/
http://michael-kors.misblackfriday.com/
http://t.co/1PJuejI1ys
http://t.co/FYm2MxWwLM
https://twitter.com/CoachOutlet2014
https://www.facebook.com/pages/Coach-Factory-Outlet-Online-Store-Michael-Kors-Outlet-Online-Sale-75-Off/712060898859091
https://www.facebook.com/pages/Ralph-Lauren-Polo-Outlet-Online-Sale/1404100279810690
An issue that has frustrated a lot of folks since SharePoint 2007 and the WebSSO provider, and that continues
An issue that has frustrated a lot of folks since SharePoint 2007 and the WebSSO provider, and that continues
This is a topic that continues to generate swirl, because as soon as you make one change you may want
In Part 1 of this series, we went through how to configure SharePoint to use ACS and Azure Active Directory