cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

Matt_Paleafei
Copper Contributor

‎Apr 30 2020 02:12 PM

‎Apr 30 2020 02:12 PM

SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

Resource Domain/Forest (resource.local)

SP 2016 Farm in Resource Domain webapp.resource.local
ADFS 4.0 configured on internal network of resource.local
WAP configured in DMZ publishing adfs.resource.local and webapp.resource.local

User Domain/Forest (users.local)
ADFS 4.0 configure on internal network of users.local
WAP configured in DMZ publishing adfs.users.local

Federated trust has been created between the two ADFS instances.
We can successfully authenticate against either ADFS individually, and we can also authenticate across the federated trust using the idpinitatedsignon.aspx to test.

 

The Issue: When we attempt to login to webapp.resource.local (tested externally because we have no need to test this internally) we can see the trust being traversed and we authenticate, however, we get the "Sorry, the site hasn't been shared with you." page.  The users in the resource domain don't have issues authenticating/authorizing to the sites externally through the resource ADFS.

 

I'm not sure what we're missing here.  Any help would be greatly appreciated.

@Trevor Seward 

Labels:
881 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by Matt_Paleafei (Copper Contributor)
Trevor Seward

‎Apr 30 2020 02:44 PM

‎Apr 30 2020 02:44 PM

Solution

Re: SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?
0 Likes
Reply
Matt_Paleafei

‎Apr 30 2020 03:03 PM

‎Apr 30 2020 03:03 PM

Re: SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

@Trevor Seward 

User ADFS Issuance

UPN - passthrough

Primary Sid - passthrough

Primary group SID - passthrough

Name - passthrough

UPN --> emailAddress

 

Resource ADFS

UPN - passthrough

Primary Sid - passthrough

Primary group SID - passthrough

Name - passthrough

Email - passthrough

UPN --> emailAddress

 

SharePoint Identifier Claim = email

 

0 Likes
Reply
Matt_Paleafei

‎May 06 2020 07:49 AM

‎May 06 2020 07:49 AM

Re: SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

@Trevor Seward 

Thanks Trevor ... although the claim itself wasn't necessarily the resolution, it DID point me in the direction that seems to have resolved the issue.

I went to the claims provider in sharepoint (LDAPCP) and added another connection for the federated domain.  Although in a typical federated scenario, I question the feasibility of this as a solution, for OUR environment this works and users from the federated ADFS forest are now able to be added into a site with permissions, and thus are authorized after authenticating.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Matt_Paleafei (Copper Contributor)
Trevor Seward

‎Apr 30 2020 02:44 PM

‎Apr 30 2020 02:44 PM

Solution

Re: SP 2016 ADFS 4.0 Federated Partner Authenticates, but doesn't Authorize

What claims are you passing over the fed trust and what is the identity claim configured in SharePoint/sent by the RP from the resource domain ADFS?

View solution in original post

0 Likes
Reply