Identifierclaim in SPTrustedIdentityTokenIssuer
See original GitHub issueI’m trying to configure an SPTrustedIdentityTokenIssuer but I always get the error:
IdentifierClaim does not match any claim type specified in ClaimsMappings.
What am I missing?
SPTrustedIdentityTokenIssuer AzureAD
{
Name = "AzureAD";
Description = "Azure AD Identity provider";
Realm = "urn:sharepoint:sp1";
SignInUrl = "https://login.microsoftonline.com/[GUID removed]/wsfed";
IdentifierClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
ClaimsMappings = @(
MSFT_SPClaimTypeMapping{
Name = "name";
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
LocalClaimType ="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
}
MSFT_SPClaimTypeMapping{
Name = "Email";
IncomingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
}
MSFT_SPClaimTypeMapping{
Name = "Role";
IncomingClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
}
)
SigningCertificateFilePath = "C:\cert.cer";
Ensure = "Present";
PsDscRunAsCredential = $SPSetupAccount;
}
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
New-SPTrustedIdentityTokenIssuer (sharepoint-server)
The New-SPTrustedIdentityTokenIssuer cmdlet creates an identity provider in the farm. This object is created and used only for setting this type of identity ......
Read more >Mapping IdentifierClaim to field, that is not email
The New-SPTrustedIdentityTokenIssuer cmdlet has a parameter "-IdentityClaim". The claim type you specify as an identity claim is "encoded" ...
Read more >Creating an ADFS2.0 TrustedIdentityTokenIssuer using ...
The “IdentifierClaim” attribute instructs SharePoint Server which of the claims will be the claim used to identify users. In this scenario the e ......
Read more >How to configure SharePoint trusted identity provider for UPN
New-SPTrustedIdentityTokenIssuer -Name $ProviderName -Description ... $RoleClaimMap -SignInUrl $signInURL -IdentifierClaim $UPNClaimmap .
Read more >Claims User Identity Flow
The following PowerShell command is used to determine the MappedClaimType of Identity Claim Type configured for a Trusted Provider in SharePoint. Copy. (Get- ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
UPDATE: Correction to my first conclusion. Have checked the innerworking a little more and the error is in the code.
Found the root cause for this issue:
In the Set method, this code creates an array with Claims Mappings: https://github.com/dsccommunity/SharePointDsc/blob/8214236e27d0a67c1fd5acea64d889dd38373c0e/SharePointDsc/DSCResources/MSFT_SPTrustedIdentityTokenIssuer/MSFT_SPTrustedIdentityTokenIssuer.psm1#L283-L299
The next block of code then checks if the specified IdentifierClaim matches a MappedClaimType in any of the claims in the array: https://github.com/dsccommunity/SharePointDsc/blob/8214236e27d0a67c1fd5acea64d889dd38373c0e/SharePointDsc/DSCResources/MSFT_SPTrustedIdentityTokenIssuer/MSFT_SPTrustedIdentityTokenIssuer.psm1#L283-L299
This is where the code fails. It should check against the InputClaimType property instead of the MappedClaimType property. Will update the code and submit a PR!
Sorry I didin’t follow up, I had to switch project. Thank you @ykuijs for the fix! (I also missed the issue in the code)