Custom Claims Provider - Not possible to Login

%3CLINGO-SUB%20id%3D%22lingo-sub-1757655%22%20slang%3D%22en-US%22%3ECustom%20Claims%20Provider%20-%20Not%20possible%20to%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1757655%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Ladies%20and%20Gentlemen%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20Active%20Directory%20Federation%20Services%20(ADFS)%20on%20a%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20mapped%20User%20Profiles%20with%20the%20ADFS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20created%20a%20test%20user%20in%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Account%20Name%20in%20the%20User%20Profile%20of%20this%20Test%20User%20is%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%3A0e.t%7Ctrusted%20identity%20provider%20(adfs)%7Ctest_user2%40stupak.ch%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20have%20placed%20this%20string%20into%20the%20people%20picker%2C%20people%20picker%20transformed%20this%20string%20into%20a%20link%2C%20which%20then%20has%20been%20added%20to%20the%20SharePoint%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20have%20clicked%20in%20the%20SharePoint%20group%20on%20this%20link%2C%20I%20have%20been%20redirected%20to%20the%20My%20Site%20of%20this%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20also%20login%20to%20the%20SharePoint%20site%20with%20this%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20that%20I%20have%20deployed%20Custom%20Claims%20Provider%20and%20mapped%20the%20custom%20claims%20provider%20with%20the%20Trusted%20Identity%20Token%20Issuer%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24issuer%20%3D%20Get-SPTrustedIdentityTokenIssuer%20%22Trusted%20Identity%20Provider%20(ADFS)%22%3CBR%20%2F%3E%24issuer.ClaimProviderName%20%3D%20%22TestCustomClaimProvider2%22%3CBR%20%2F%3E%24issuer.Update()%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20have%20then%20selected%20the%20test%20user%20from%20the%20people%20picker%2C%20then%20I%20have%20received%20following%20link%20in%20the%20SharePoint%20Group%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ec%3A0e.c%7Ctestcustomclaimprovider2%7Ctest_user2%40stupak.ch%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20Link%20does%20not%20lead%20to%20the%20User%20Profile%20and%20I%20also%20can%20not%20login%20into%20the%20SharePoint%20Site%20with%20this%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20help%20me%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20best%20regards%3C%2FP%3E%3CP%3ELadislav%20Stupak%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1812739%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20Claims%20Provider%20-%20Not%20possible%20to%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1812739%22%20slang%3D%22en-US%22%3E%3CP%3Epublic%20class%20CustomClaimProvider%20%3A%20SPClaimProvider%3C%2FP%3E%3CP%3E%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20I%20have%20added%20following%20two%20objects%20into%20the%20custom%20claims%20provider%20class%3C%2FP%3E%3CP%3E%2F%2F%20which%20inherits%20from%20the%20class%20SPClaimProvider%3C%2FP%3E%3CP%3Eprotected%20SPTrustedLoginProvider%20SPTrust%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eprotected%20string%20IssuerName%20%3D%26gt%3B%20SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider%2C%20SPTrust.Name)%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20I%20have%20added%20following%20two%20methods%20into%20the%20custom%20claims%20provider%20class%3C%2FP%3E%3CP%3E%2F%2F%20which%20inherits%20from%20the%20class%20SPClaimProvider%3C%2FP%3E%3CP%3Epublic%20static%20SPTrustedLoginProvider%20GetSPTrustAssociatedWithCP(string%20providerInternalName)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20var%20lp%20%3D%20SPSecurityTokenServiceManager.Local.TrustedLoginProviders.Where(x%20%3D%26gt%3B%20String.Equals(x.ClaimProviderName%2C%20providerInternalName%2C%20StringComparison.OrdinalIgnoreCase))%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20if%20(lp%20!%3D%20null%20%26amp%3B%26amp%3B%20lp.Count()%20%3D%3D%201)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20return%20lp.First()%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20return%20null%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20protected%20bool%20Initialize()%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20bool%20initialized%20%3D%20false%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20if%20(SPTrust%20%3D%3D%20null)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SPTrust%20%3D%20GetSPTrustAssociatedWithCP(ProviderInternalName)%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20if%20(SPTrust%20!%3D%20null)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20initialized%20%3D%20true%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20else%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20initialized%20%3D%20true%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20return%20initialized%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2F%2F%20I%20have%20called%20the%20method%20Initialize%20in%20following%20four%20methods%3C%2FP%3E%3CP%3Eprotected%20override%20void%20FillHierarchy%3C%2FP%3E%3CP%3Eprotected%20override%20void%20FillResolve(Uri%20context%2C%20string%5B%5D%20entityTypes%2C%20string%20resolveInput%2C%20List%3CPICKERENTITY%3E%20resolved)%3C%2FPICKERENTITY%3E%3C%2FP%3E%3CP%3Eprotected%20override%20void%20FillResolve(Uri%20context%2C%20string%5B%5D%20entityTypes%2C%20SPClaim%20resolveInput%2C%20List%3CPICKERENTITY%3E%20resolved)%3C%2FPICKERENTITY%3E%3C%2FP%3E%3CP%3Eprotected%20override%20void%20FillSearch%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20I%20have%20replaced%20the%20calls%20of%20the%20protected%20SPClaim%20CreateClaim(string%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20claimType%2C%20string%20value%2C%20string%20valueType)%3B%20method%20which%20is%20inherited%20from%20%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20the%20SPClaimProvider%20with%20following%20method.%20This%20Method%20below%20has%20one%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20parameter%20more%20and%20therefore%20does%20not%20conflict%20with%20the%20method%20from%20the%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20SPCLaimProvider%20class.%20The%20important%20part%20of%20this%20method%20is%20the%20parameter%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20IssuerName.%20Because%20this%20value%20builds%20the%20middle%20part%20of%20the%20token.%20The%20token%3C%2FP%3E%3CP%3E%2F%2F%20must%20have%20this%20part%20identical%20with%20the%20token%20issuer%20to%20be%20able%20to%20login%20into%3C%2FP%3E%3CP%3E%2F%2F%20the%20SharePoint%20site.%3C%2FP%3E%3CP%3Eprotected%20virtual%20SPClaim%20CreateClaim(string%20type%2C%20string%20value%2C%20string%20valueType%2C%20bool%20inputHasKeyword)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20return%20new%20SPClaim(type%2C%20value%2C%20valueType%2C%20IssuerName)%3B%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFollowing%20source%20helped%20me%20to%20solve%20this%20issue%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fldapcp.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fldapcp.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Dear Ladies and Gentlemen,

 

I have set up Active Directory Federation Services (ADFS) on a server.

 

I have mapped User Profiles with the ADFS.

 

I have created a test user in Active Directory.

 

The Account Name in the User Profile of this Test User is following:

 

i:0e.t|trusted identity provider (adfs)|test_user2@stupak.ch

 

When I have placed this string into the people picker, people picker transformed this string into a link, which then has been added to the SharePoint group.

 

When I have clicked in the SharePoint group on this link, I have been redirected to the My Site of this user.

 

I could also login to the SharePoint site with this user.

 

After that I have deployed Custom Claims Provider and mapped the custom claims provider with the Trusted Identity Token Issuer:

 

$issuer = Get-SPTrustedIdentityTokenIssuer "Trusted Identity Provider (ADFS)"
$issuer.ClaimProviderName = "TestCustomClaimProvider2"
$issuer.Update()

 

When I have then selected the test user from the people picker, then I have received following link in the SharePoint Group:

 

c:0e.c|testcustomclaimprovider2|test_user2@stupak.ch

 

This Link does not lead to the User Profile and I also can not login into the SharePoint Site with this user.

 

Can you help me please?

 

Thank you very much.

 

With best regards

Ladislav Stupak

 

 

1 Reply

public class CustomClaimProvider : SPClaimProvider

{

 

// I have added following two objects into the custom claims provider class

// which inherits from the class SPClaimProvider

protected SPTrustedLoginProvider SPTrust;

 

protected string IssuerName => SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, SPTrust.Name);

 

// I have added following two methods into the custom claims provider class

// which inherits from the class SPClaimProvider

public static SPTrustedLoginProvider GetSPTrustAssociatedWithCP(string providerInternalName)

        {

            var lp = SPSecurityTokenServiceManager.Local.TrustedLoginProviders.Where(x => String.Equals(x.ClaimProviderName, providerInternalName, StringComparison.OrdinalIgnoreCase));

 

            if (lp != null && lp.Count() == 1)

            {

                return lp.First();

            }

           

            return null;

        }

 

        protected bool Initialize()

        {

            bool initialized = false;

 

            if (SPTrust == null)

            {

                SPTrust = GetSPTrustAssociatedWithCP(ProviderInternalName);

                if (SPTrust != null)

                {

                    initialized = true;

                }

            }

            else

            {

                initialized = true;

            }

 

            return initialized;

        }

 

       // I have called the method Initialize in following four methods

protected override void FillHierarchy

protected override void FillResolve(Uri context, string[] entityTypes, string resolveInput, List<PickerEntity> resolved)

protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved)

protected override void FillSearch

 

// I have replaced the calls of the protected SPClaim CreateClaim(string       

// claimType, string value, string valueType); method which is inherited from  

// the SPClaimProvider with following method. This Method below has one        

// parameter more and therefore does not conflict with the method from the      

// SPCLaimProvider class. The important part of this method is the parameter   

// IssuerName. Because this value builds the middle part of the token. The token

// must have this part identical with the token issuer to be able to login into

// the SharePoint site.

protected virtual SPClaim CreateClaim(string type, string value, string valueType, bool inputHasKeyword)

       {           

            return new SPClaim(type, value, valueType, IssuerName);

}

}

 

Following source helped me to solve this issue:

https://ldapcp.com/