Issue:
Users are not resolved in the people picker when SAML is enabled for the web application
Reason:
When a user authenticates to the SharePoint Portal, Azure AD does not include his group membership in the SAML token received by SharePoint, so SharePoint does not know to which groups the user belongs to, and hence it cannot make authorizations based on groups. The federation services are authentication systems only.
As per Microsoft, “When a web application is configured to use claims-based authentication, People Picker uses claims providers to resolve and display users, groups, and claims in the user or group text box. The information that SharePoint displays depends on the claims provider that is used by the authentication method that was configured for the web application. “.
See Also: https://technet.microsoft.com/en-us/library/gg602078.aspx#about
Solution:
Create a custom claims provider. Claims provider queries Active Directory or any LDAP to add search capabilities to the people picker in SAML authentication mode (typically ADFS).
When we are searching for a user, we cannot go directly to ADFS because there is no search function. Instead, we use a custom claim provider to query directly to some authentication store or directory such as Active Directory to retrieve information about a list of users in order to provide name resolution.
Users are not resolved in the people picker when SAML is enabled for the web application
Reason:
When a user authenticates to the SharePoint Portal, Azure AD does not include his group membership in the SAML token received by SharePoint, so SharePoint does not know to which groups the user belongs to, and hence it cannot make authorizations based on groups. The federation services are authentication systems only.
As per Microsoft, “When a web application is configured to use claims-based authentication, People Picker uses claims providers to resolve and display users, groups, and claims in the user or group text box. The information that SharePoint displays depends on the claims provider that is used by the authentication method that was configured for the web application. “.
See Also: https://technet.microsoft.com/en-us/library/gg602078.aspx#about
Solution:
Create a custom claims provider. Claims provider queries Active Directory or any LDAP to add search capabilities to the people picker in SAML authentication mode (typically ADFS).
When we are searching for a user, we cannot go directly to ADFS because there is no search function. Instead, we use a custom claim provider to query directly to some authentication store or directory such as Active Directory to retrieve information about a list of users in order to provide name resolution.
No comments:
Post a Comment