ADFS authentication between 2 domains with claim provider and relying party trust

Highlighted
Occasional Contributor

Suppose we now have 2 domains, one is internal domain(INT) and the other one is resource( RSC) domain; We host our sharepoint web-app server (FE and app), one ADFS and one AD inside the RSC domain , while one AD and ADFS are hosted in the INT domain.

 

In my case, all the user accounts which are inside the INT domain are also exist in the RSC domain. (e.g. Assume tom and mary are two domain user accounts inside INT, so the two user accounts which are tom and mary are also exist inside the RSC domain). Of course, their domains and UPN are different.


Now, we have configured two sides of adfs; we configured Relying party trust in the INT's ADFS and Claim Provider Trust inside the RSC's ADFS. And, the INT and RSC users can now access the web-app successfully by selecting the corresponding domain for login inside the form by authenticating with the corresponding domain's AD.

 

My problem is, after we have authenticated the INT user in the INT's ADFS, we would like to check the outgoing claim (user name/SAM account (e.g.tom)) with the RSC's domain AD to see if the SAM account name exist in the RSC's AD, if yes, we would grant the group permission which the RSC's user has to the INT's user account for assigning the same permission, like role and group, of the "RSC\tom" to "INT\tom".

(bcoz our goal is to use AD group to assign permission to user inside sharepoint web-app, and we have already add those RSC user accounts to different AD security group on RSC's AD.)

 

So, what configuration should I do to check/authenticate the INT's SAM account name with the RSC's ADFS and how to substitute the role(group membership) attritube of RSC\tom to INT\tom and login as INT\Tom the sharepoint.

 

I have attached a diagram that describe the infrastructure. Hope that it will be clearer. Thanks you very much.

1 Reply
Highlighted
To answer your question about groups, no that would require a Domain Trust to assign an INT account to a RSC group -- but regardless, that wouldn't work as the INT account would be a Foreign Security Principal in the RSC domain, which SharePoint doesn't understand. What you could do is transmit the group claim from INT to RSC and leverage groups in INT instead.