Mapping User Profiles for SAML Users with an AD Import in SharePoint 2013
This is a topic that becomes very important in SharePoint 2013, and that is making sure you have a fully populated user profile application. In SharePoint 2013 the user profile system plays a critical role in the OAuth infrastructure, which is what allows certain trusted application scenarios to succeed by allowing other applications to act on behalf of a user. In order for an application to be able to “know” what a user can do though, it needs to capture the list of attributes for that user so proper security trimming rules can be applied. That’s the 100,000 foot level view of this, I will write more about user profiles, synchronization and the impact on different authentication choices in a later blog.
For now it’s enough to know that it’s very important and needs to be done. Given this importance, and the fact that Bryan Porter’s seminal posting on this from SharePoint 2010 has disappeared since he moved his blog over, I decided it would be worth covering again. The good news is that it isn’t super complicated if you are importing from Active Directory, which is what this post will cover.
The first thing you should do is create your SPTrustedIdentityTokenIssuer; that is required before you can configure the profile import aspect of things. Once that’s done open your browser and navigate to your UPA management page. Click on the Configure Synchronization Connections link, and then click the link to Create A New Connection. The only thing that’s different here compared to any other profile connection to AD is the Authentication Provider Type drop down. In that drop down you want to select Trusted Claims Provider Authentication. When you do, the Authentication Provider Instance drop down below that will populate a list of all the SPTrustedIdentityTokenProviders you have created. Just select the one that should be used with this profile connection, and fill out all of the other connection properties as you normally would for importing from AD and save it. Here’s a screenshot of what mine looks like:
Once that’s done the next thing you need to do is update the property mappings so SharePoint knows what field you are importing, contains the value that users will use as the identity claim. To do that go back to the UPA management page and click on the Manage User Properties link. Scroll down and find the Claim User Identifier property and Edit it. If there is an existing Property Mapping for Synchronization value, delete it. Add a new one that maps the property you are importing from AD as the identity claim value. In my case, I’m using email address as the identity claim, and in AD the user’s email address is stored in the AD attribute called “mail”. So I just select the profile connection I created above, I type in “mail” in the Attribute edit box and click the Add button. It looks like this:
After I’m done this is what it looks like:
The Claim Provider Identifier and Claim Provider Type are supposed to be set automatically when you configure the profile import connection.
That’s it – now I can do profile imports and it will automatically map that identity claim value to the account name property in the profile system. Here’s an example of what it looks like after I’ve run a profile import. Note that instead of using domain\user for the account name, it is showing a SAML claims format with email address for the account name: