18

I am passing Claims from a custom STS to SharePoint. It seems that some of the Claims are coming through OK to SharePoint, but not all. For example I am passing in the GivenName and Surname claims, but in the SharePoint "My Settings" page, I do not see a First Name or Surname populated.

My claim mappings are as follows:

PS C:\Users\tom.haigh> $sts.ClaimTypeInformation DisplayName : WebUsername InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication IsIdentityClaim : True AcceptOnlyKnownClaimValues : False ClaimValueModificationAction : None ClaimValueModificationArgument : KnownClaimValues : {} UpgradedPersistedProperties : {} DisplayName : Email InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail IsIdentityClaim : False AcceptOnlyKnownClaimValues : False ClaimValueModificationAction : None ClaimValueModificationArgument : KnownClaimValues : {} UpgradedPersistedProperties : {} DisplayName : Windows Account Name InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/windowsaccountname MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/windowsaccountname IsIdentityClaim : False AcceptOnlyKnownClaimValues : False ClaimValueModificationAction : None ClaimValueModificationArgument : KnownClaimValues : {} UpgradedPersistedProperties : {} DisplayName : Given Name InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname IsIdentityClaim : False AcceptOnlyKnownClaimValues : False ClaimValueModificationAction : None ClaimValueModificationArgument : KnownClaimValues : {} UpgradedPersistedProperties : {} DisplayName : Surname InputClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname MappedClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname IsIdentityClaim : False AcceptOnlyKnownClaimValues : False ClaimValueModificationAction : None ClaimValueModificationArgument : KnownClaimValues : {} UpgradedPersistedProperties : {}

I am interested to find out what claim types are supported, and how to make them work as expected.

Improve this question
1
  • Do you know the powershell to get the current Claimtype using for current authentication method? Commented Jun 24, 2016 at 10:02

3 Answers 3

Reset to default
8

AFAIK, there is no automatic mapping between claims and the My Settings page. For instance, providing an "email" claim does not populate the "email" field.

Update: actually, it seems that IF your identity claim is of type http://schema.microsoft.com/.../emailaddress AND your identity claim value looks like an email, then your email gets populated (I found that recently while using reflector on the SPTrustedClaimProvider class; the rest of the post is still valid, i.e. you must configure the UPS).

You can pass as many claims to Sharepoint as you want, but the only claim that Sharepoint is interested in is the Identity claim; it is used as a unique identifier (similar to the UPN in Windows-classic authentication) and as a "display name" (the Name field on the My Settings page). All other claims pass through Sharepoint without being used.

The only place where you can see and use all your claims is when you specify authorizations through the People Picker; here you will see all of them, and you can grant access to content using the claim you want.

If you want a mapping to occur, you must configure the User Profile Sync Service.

So to summarize:

  1. The identity claim is used to uniquely identify a user and as a default "display name".
  2. All other claims may be used for authorization.
    Note: some claim types are reserved by Sharepoint and cannot be mapped, such as Name and NameIdentifier. You will receive an error if you try to use them, when you setup your mappings. Update: as stated by Nathan below, actually in your mapping you can have an incoming claim of type NameIdentifier. However you can't use it inside Sharepoint with the "sameAsIncoming" parameter; you must map this input claim to a different local claim in Sharepoint.
  3. If you want to populate the email, display name, etc, in My Settings, configure the User Profile Sync service.
    Note: there are some additional steps to perform when you use claims-based auth, such as setting the "Claim User Identifier" property.

PS. If you want to see your claims, the code accompanying the following article has a really nice web part that shows all claims with their values:
http://msdn.microsoft.com/en-us/library/ff953202.aspx

Improve this answer
2
  • 1
    Note: some claim types are reserved by Sharepoint and cannot be mapped, such as Name and NameIdentifier. is not a true statement - you can't map them using -SameAsIncoming, but you can map using a different local claim type (at least for nameidentifier). E.g. $identityClaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "NameIdentifier" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Commented Nov 6, 2014 at 19:12
  • @Nathan, thanks you're right, we can use these types as "incoming claims" only. I've updated my answer. Commented Nov 7, 2014 at 20:57
0

I must admit that I haven't had much experience with claims but I'll have a stab at this one in the absence of any other responses.

User profile properties (located within the "My Settings" page) are simply name/value pairs that are imported from a directory such as AD.

At a guess I would say that the user profile properties that appear to match the users claims are the default ones that are imported by the User Profile Service from Active Directory.

It sounds as though you are augmenting claims and expecting them to appear within the user's profile, whereas the solution might be to add custom properties within the Manage Profile Service page.

Improve this answer
0

if you want to set the information of given name, email, Department, and other properties user can see on "My Settings" page, you need to implement a custom claims provider, and in FillResolve method set the PickerEntity

 pe.EntityData[PeopleEditorEntityDataKeys.DisplayName] = "GivenName"; pe.EntityData[PeopleEditorEntityDataKeys.Email] = "[email protected]";

checkout all properties you can set

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.