Hi there,
I'd like to migrate the authentification provider for a sharepoint farm from kerberos to an ADFS-server.
ADFS is up and running, I created claims rules for UPN and email adress, but it seems, that the UPN doesn't get evaluated during the logon process.
Let's say the broadcast domains name is contoso.de
The primary mailadress-suffix is contoso-mail.de
I created a Trusted root authority in sharepoint like this:
New-SPTrustedRootAuthority -Name "my-adfs-provider" -Certificate $cert $emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
When I grant permissions in my sharepoint site to i:05.t|my-adfs-provider|user@contoso.de, the user can't log-in to this site. But when I grant permissions to i:05.t|my-adfs-provider|devmhda@contoso-mail.de,this user is able to log-on.
I guess on most setups primary mailadress and UPN may be the same, but not at a customers site.
I also created a serverfarm from scratch in my lab and run into the same problem - evaluating the mail-claim works, but UPN does not.
What may be wrong here?
Thanks in advance
Marcel