SharePoint Pals
 | Sign In
How to Provide Custom Attribute as a Claim from ADFS in SharePoint 2013 using PowerShell
by Sathish Nadarajan 9 Mar 2014
Author
SharePoint MVP
Visits   
Today  :   14     Total  :    28673

In the previous article, we saw how to add custom attributes to the Active Directory. In this article, let us see, how to use those attributes as Claims through ADFS. Adding claims to ADFS, already we saw as a part of Configuring ADFS as authentication provider here. Please refer that, if not read already.

To refresh, we added maritalStatus as an attribute on the previous article. On our sharepoint site, we want, this maritalStatus as a Claim after login into the Site.

Now, the steps are

1. Configure the new claims on the ADFS Server.

2. Delete the TrustedIdentityTokenIssuer.

3. Create the SPClaimTypeEncoding for the new claim value

4. Create a new TrustedIdentityTokenIssuer with the new Encoded Claim value

5. Map the SharePoint site to the newly created TrustedIdentityTokenIssuer.

Let us see them one by one.

1. Configure the new claims on the ADFS Server.

We need to Add the claim description. For that, login to the ADFS Server. Open the ADFS management console. By default, the claim description will looks like,

image

Now, we are going to Add our claim Description.

Right click on the Claim Description.

image

Click Add Claim Description.

Enter the values as below.

image

Click OK. The claim Description will get added.

Now, the screen will looks like,

image

Now, we need to add the newly added claim in the Claims Rule of the web application. i.e., the Relying party trust.

Select the Relying Party Trust, Select the web application. Edit Claim rules.

image

image

image

On the LDAP Attributes, we can type as MaritalStatus and on the Outgoing Claim Type, the drop down contains the Claim MaritalStatus, since we added it on the Active Directory. Hence, select that.

Click Ok, and close this screen.

That’s it. We are done with the ADFS Server. Now, move back to our SharePoint Server.

2. Remove the existing TrustedIdentityTokenIssuer.

 Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq "win2008r2 claims provider"} | Remove-SPTrustedIdentityTokenIssuer

3. Remove the existing TrustedRootAuthority

 Get-SPTrustedRootAuthority | where {$_.Identity -eq "Token Signing Cert ADFSAuthenticatedSite"} | Remove-SPTrustedIdentityTokenIssuer

4. Now, let us re-create everything with encoding.

 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 
 Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq "win2008r2 claims provider"} | Remove-SPTrustedIdentityTokenIssuer 
 
 Get-SPTrustedRootAuthority -Identity "Token Signing Cert ADFSAuthenticatedSite" | Remove-SPTrustedIdentityTokenIssuer
 
 
 $a = [char]0x02bc #700 - for Marital Status
 #$b = [char]0x02bd #701 - Incase if we have 2 more Claims needs to be added
 #$c = [char]0x02be #702 - Incase if we have 2 more Claims needs to be added
 
 
 New-SPClaimTypeEncoding -EncodingCharacter $a -ClaimType "http://ss.loc/maritalstatus" -force
 #New-SPClaimTypeEncoding -EncodingCharacter $b -ClaimType "http://dc07.loc/v2/jobtitle" -force - Incase if we have 2 more Claims needs to be added
 #New-SPClaimTypeEncoding -EncodingCharacter $c -ClaimType "http://dc07.loc/v2/application" -force - Incase if we have 2 more Claims needs to be added
 
 
 
 $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\WORK\Certificates\ADFSCert.cer")
 
 New-SPTrustedRootAuthority -Name "Token Signing Cert ADFSAuthenticatedSite" -Certificate $cert
 
 $map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
 
 $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
 
 $RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
 
 $maritalStatusClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://ss.loc/maritalstatus" -IncomingClaimTypeDisplayName "MaritalStatus" -SameAsIncoming
 
 $realm="urn:sharepoint:sathishserver.ss.loc:20003"
 
 $signInURL="https://Win2008R2/adfs/ls"
 
 $sts = New-SPTrustedIdentityTokenIssuer -Name “win2008r2 claims provider” -Description “My Claims Provider”-realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap,$maritalStatusClaimMap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType
 
 $sts 
 

5. Now, map the created TrustedIdentityToken with the web application.

In Central Administration, go to Manage web application and select the web application.

image

Select the Default.

image

On the Edit Authenticaiton screen, we can see the newly created Identity Provider.

image

Select that and click save. On the screen nothing will happen. Let us close this popup and try login to the site collection. It will ask for the ADFS authentication.

That’s it. Now, let us go back to our claims viewer web part. Now, we will be seeing the newly added attribute will be listed as the claim on the screen.image

 

Now, the newly added webpart will show the newly added claim.

 

Happy Coding.

Sathish Nadarajan.

blog comments powered by Disqus

SharePoint Pals

Pals
SharePoint Pals, a community portal for SharePoint developers, Administrators and End Users. Let's join hands and share the point together.
Read this on mobile

Training

Angular Js Training In Chennai
Advanced Angular Js training with real world developer scenarios
Angular Js, Web Api and Ionic for .Net Developers
All in one client side application development for .Net developers
Angular Js For SharePoint Developers
Get ready for the future. Its no more just C#

Get Connected

SharePoint Resources

SharePoint 2013 and 2010 Web Parts
Free Web Parts with Source Code for SharePoint Community




SharePoint 2013 Books and Tutorials
Collection of free SharePoint 2013 books and tutorials (eBooks, pdfs)

Supported By

Contribute your article and be eligible for a one month Free Subscription for Plural Sight. The Author of the most popular New Article (published in the previous month) will be awarded with a Free One month Plural Sight Subscription. Article can be sent to articles@sharepointpals.com in a word document.

Related Resources

Recent Tweets

Twitter January 15, 00:25
How To Enable Target Value And Actual Value In #D3 Gauge Chart https://t.co/VxSi4QnNrC

Twitter January 15, 00:24
How To Open #SharePoint List Hyperlink Column In Modal #Popup Window https://t.co/EQ7HkoZDkX

Twitter January 15, 00:24
Quick Introduction To #Asp.NetCore And It’s Features https://t.co/zAXObHCFpH

Twitter January 15, 00:22
How To Configure #PerformancePoint Services To Use Secure Store In #SharePoint 2013 https://t.co/LEwnUoI7EY

Twitter January 15, 00:21
How To Block Or Disable #Office365 Services https://t.co/Yvp2VPFIRP

Follow us @SharePointPals
Note: For Customization and Configuration, CheckOutRecent Tweets Documentation