Forum Discussion

Copper Contributor

Apr 30, 2020

Solved

SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

Resource Domain/Forest (resource.local) SP 2016 Farm in Resource Domain webapp.resource.local ADFS 4.0 configured on internal network of resource.local WAP configured in DMZ publishing adfs.resour...

2016

ADFS

sharepoint server

Trevor Seward
Apr 30, 2020
What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?

Trevor Seward

MVP

Apr 30, 2020

What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?

Matt_Paleafei
Copper Contributor
May 06, 2020
Trevor Seward
Thanks Trevor ... although the claim itself wasn't necessarily the resolution, it DID point me in the direction that seems to have resolved the issue.
I went to the claims provider in sharepoint (LDAPCP) and added another connection for the federated domain. Although in a typical federated scenario, I question the feasibility of this as a solution, for OUR environment this works and users from the federated ADFS forest are now able to be added into a site with permissions, and thus are authorized after authenticating.
Matt_Paleafei
Copper Contributor
Apr 30, 2020
Trevor Seward
User ADFS Issuance
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
UPN --> emailAddress

Resource ADFS
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
Email - passthrough
UPN --> emailAddress

SharePoint Identifier Claim = email