Apr 30 2020 02:12 PM
Resource Domain/Forest (resource.local)
SP 2016 Farm in Resource Domain webapp.resource.local
ADFS 4.0 configured on internal network of resource.local
WAP configured in DMZ publishing adfs.resource.local and webapp.resource.local
User Domain/Forest (users.local)
ADFS 4.0 configure on internal network of users.local
WAP configured in DMZ publishing adfs.users.local
Federated trust has been created between the two ADFS instances.
We can successfully authenticate against either ADFS individually, and we can also authenticate across the federated trust using the idpinitatedsignon.aspx to test.
The Issue: When we attempt to login to webapp.resource.local (tested externally because we have no need to test this internally) we can see the trust being traversed and we authenticate, however, we get the "Sorry, the site hasn't been shared with you." page. The users in the resource domain don't have issues authenticating/authorizing to the sites externally through the resource ADFS.
I'm not sure what we're missing here. Any help would be greatly appreciated.
Apr 30 2020 02:44 PM
SolutionApr 30 2020 03:03 PM
User ADFS Issuance
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
UPN --> emailAddress
Resource ADFS
UPN - passthrough
Primary Sid - passthrough
Primary group SID - passthrough
Name - passthrough
Email - passthrough
UPN --> emailAddress
SharePoint Identifier Claim = email
May 06 2020 07:49 AM
Thanks Trevor ... although the claim itself wasn't necessarily the resolution, it DID point me in the direction that seems to have resolved the issue.
I went to the claims provider in sharepoint (LDAPCP) and added another connection for the federated domain. Although in a typical federated scenario, I question the feasibility of this as a solution, for OUR environment this works and users from the federated ADFS forest are now able to be added into a site with permissions, and thus are authorized after authenticating.
Apr 30 2020 02:44 PM
Solution