Forum Discussion
I need a guide for SP2016 on prem setting up WAP and ADFS
Hi Everyone. My name is Carl and I am working with Benjamin who started the post earlier.
We would like to allow external access to our on-prem SharePoint 2016 on Windows Server 2016.
We have a Windows Server 2016 system configured for WAP setup in a DMZ.
We also have a Windows Server 2016 system with ADFS 4.0 on our LAN.
We would prefer not to join our WAP server to the domain.
What are the methods for WAP and ADFS to do this?
If we are using WAP and SAML to pre-authenticate external access can we still use WIA for internal users?
You can either use WIA which requires joining WAP to the domain or use SAML which does not require joining WAP to the domain. To SharePoint, even with the same User object in Active Directory, a user is different if using Windows or SAML. There is no way to "attach" the user objects together.
I'd strongly suggest converting all Web Applications to SAML should you choose to use SAML. Mixing WIA and SAML generally doesn't work out too well. This will also prevent duplicate User Profiles (one Windows Claims, the other SAML) which can lead to failures in OAuth-based applications such as Workflow Manager.And of course there are user experience issues with SAML, such as resolving anything typed into the People Picker. Tools like LDAPCP help with this, but IMO the experience still isn't as good as WIA.
I would like to know more about the negative user experience you get when using SAML. I noticed this warning in a few other threads as well.
Do you know any blogs/resources that discuss these issues?
BTW - I'm just a generic IT person who is trying to help the actual SharePoint guy get what he needs.
- Generally it surrounds the People Picker. As there is no source of truth to work off for SAML, the People Picker will accept any value, unlike when using NTLM/Kerberos. One must also change the UPSA to leverage the identity attribute sent via SAML. MMS also has special considerations with regards to migration of permissions, e.g. https://technet.microsoft.com/en-us/library/dn745644.aspx?f=255&MSPPError=-2147217396#MMS.