SharePoint Pals
 | Sign In
How to Add more than One SharePoint 2013 WebApplication to a SPTrustedIdentityTokenIssuer on ADFS using PowerShell
by Sathish Nadarajan 12 Dec 2013
SharePoint MVP
Today  :   23     Total  :    24987

In the previous posts, we saw that how to make ADFS as an Authentication Provider for our SharePoint 2013 WebApplication. But later, I faced an issue that, the Certificate which we are exporting from the ADFS Server and Creating an IssuerID and TrustedIdentityTokenIssuer cannot be changed for other WebApplications. I.e., We cannot create more than one TrustedIdentityTokenIssuer on the SharePoint Environment using the Same Certificate from the ADFS Server. At this point, there is no other option, I could find, how can I export a second certificate from the ADFS Server.

Hence, in the meanwhile, I came to a conclusion that, use the Existing TrustedIdentityTokenIssuer for the new WebApplication also. At that time, if you could see, the script to create the TrustedIdentityTokenIssuer is as follows.


 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 #Import a token signing certificate by using Windows PowerShell
 $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\SathishADFSCert.cer")
 New-SPTrustedRootAuthority -Name "Sathish Seven Token Signing Cert Parent" -Certificate $root
 $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\SathishADFSCert.cer ")
 New-SPTrustedRootAuthority -Name "Sathish Seven Token Signing Cert" -Certificate $cert
 $realm = "urn:sharepoint:MyWebApplicationURL"
 $signInURL = "https://MyADFSServerURL/adfs/ls"
 #create an identity claim(email) mapping
 $map = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming 
 #create an identity claim(UPN) mapping
 $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming 
 #create an identity claim(Role) mapping
 $RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming 
 #creating a Trustedidentity Token Issuer
 #$ap = New-SPTrustedIdentityTokenIssuer -Name “Sathish Five Claims Provider” -Description “Sathish Identity Token Issuer” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType

Here the Parameter realm is attached with a particular WebApplication. What we need to do is, Add our new WebApplication URL too as a ProviderRealm. Basically, the ProviderRealm is a Set of URL Collection. There we can add more than one WebApplication URL. The pattern should “urn:sharePoint:WebApplicationURL”. The PowerShell Script to achieve this is

 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 $sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq " Sathish Five Claims Provider "}
 $uri = new-object System.Uri("https://MyNewWEbApplicationURL")
 $sts.ProviderRealms.Add($uri, "urn:sharepoint:MyNewWebApplicationURL")

To Consolidate the above steps,

1. To make a WebApplication as a ADFS Authenticated one, we need a https enabled WebApplication. We discussed about that in this article.

2. Add the WebApplication to the RelyingParty Trust on the ADFS Server. We discussed about that in this article and here.

3. Add the WebApplicationURL to the ProviderRealms Collection of the TrustedIdentityTokenIssuer object.

4. Update and do an IISReset of the SharePoint Server. (All the front ends).

5. Change the Authentication Providers of the WEbApplication on the CentralAdministration to Claims Aware and Select the corresponding TrustedIdentityTokenIssuer.

6. Try logging in to the New WebApplication.

That’s it. We are done. Thus, we can add any number of web applications to a single TrustedIdentityTokenIssuer.

Happy Coding.

Sathish Nadarajan.

blog comments powered by Disqus

SharePoint Pals

SharePoint Pals, a community portal for SharePoint developers, Administrators and End Users. Let's join hands and share the point together.
Read this on mobile


Angular Js Training In Chennai
Advanced Angular Js training with real world developer scenarios
Angular Js, Web Api and Ionic for .Net Developers
All in one client side application development for .Net developers
Angular Js For SharePoint Developers
Get ready for the future. Its no more just C#

Get Connected

SharePoint Resources

SharePoint 2013 and 2010 Web Parts
Free Web Parts with Source Code for SharePoint Community

SharePoint 2013 Books and Tutorials
Collection of free SharePoint 2013 books and tutorials (eBooks, pdfs)

Supported By

Contribute your article and be eligible for a one month Free Subscription for Plural Sight. The Author of the most popular New Article (published in the previous month) will be awarded with a Free One month Plural Sight Subscription. Article can be sent to in a word document.

Related Resources

Recent Tweets

Twitter October 23, 22:21
How to Add/Remove User Custom Actions (in Site Actions Menu) Programmatically using CSOM PNP in SharePoint -

Twitter October 21, 21:34
How to Add a JS Link Reference to the Display Form or Any other ASPX Programmatically using CSOM PNP in SharePoint -

Twitter October 20, 13:01
How to Add a JS Link Reference to the NewForm and EditForm Programmatically using CSOM PNP in SharePoint Office 365-

Twitter October 12, 12:15
How to Deploy Provider Hosted Apps (Add-Ins) by App Stapling in SharePoint Office 365 -

Twitter October 11, 13:39
How to Deploy Provider HostedApp programmatically using CSOM in SharePoint Office 365 Activating Developer Feature -

Follow us @SharePointPals
Note: For Customization and Configuration, CheckOutRecent Tweets Documentation