Forum Discussion
SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize
Resource Domain/Forest (resource.local)
SP 2016 Farm in Resource Domain webapp.resource.local
ADFS 4.0 configured on internal network of resource.local
WAP configured in DMZ publishing adfs.resource.local and webapp.resource.local
User Domain/Forest (users.local)
ADFS 4.0 configure on internal network of users.local
WAP configured in DMZ publishing adfs.users.local
Federated trust has been created between the two ADFS instances.
We can successfully authenticate against either ADFS individually, and we can also authenticate across the federated trust using the idpinitatedsignon.aspx to test.
The Issue: When we attempt to login to webapp.resource.local (tested externally because we have no need to test this internally) we can see the trust being traversed and we authenticate, however, we get the "Sorry, the site hasn't been shared with you." page. The users in the resource domain don't have issues authenticating/authorizing to the sites externally through the resource ADFS.
I'm not sure what we're missing here. Any help would be greatly appreciated.
- What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?
3 Replies
- What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?
Thanks Trevor ... although the claim itself wasn't necessarily the resolution, it DID point me in the direction that seems to have resolved the issue.
I went to the claims provider in sharepoint (LDAPCP) and added another connection for the federated domain. Although in a typical federated scenario, I question the feasibility of this as a solution, for OUR environment this works and users from the federated ADFS forest are now able to be added into a site with permissions, and thus are authorized after authenticating.
User ADFS Issuance
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
UPN --> emailAddress
Resource ADFS
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
Email - passthrough
UPN --> emailAddress
SharePoint Identifier Claim = email
