question

GeorgeThomas-9228 avatar image
0 Votes"
GeorgeThomas-9228 asked YiLu-MSFT answered

User migration from Windows Claims to Trusted Identity Provider

In SP2013, we are migrating users from Windows Claims to Trusted Identity provider(SAML).

I used the below script for registering token issuer,mapping and user migration:

 $siteRealm = "urn:sharepoint:realmtst" 
 $wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed" 
 $filepath="F:\Temp\Cert.cer" 
 $adfsCert  = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
 New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $adfsCert 
 $ap = New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER" -Description "ID-PROVIDER Functions Default" -realm $siteRealm -ImportTrustCertificate $adfsCert -SignInUrl $wsfedurl -UseDefaultConfiguration -IdentifierClaimIs EMAIL -RegisteredIssuerName $siteRealm
    
 $realm = "urn:sharepoint:realmtst" 
 $wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed" 
 $filepath="F:\Temp\Cert.cer" 
 $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
 New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $cert
 $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "E-Mail Address" -SameAsIncoming [
 $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming [
 $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming [
 New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER"  -Description "Claims Authentication " -realm  $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 -SignInUrl $wsfedurl -IdentifierClaim $map1.InputClaimType -ClaimProvider  "Claim-Provider"
    
 $ap= Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
 $ap.UseWReplyParameter = $true
 $ap.Update()
    
 $wa =  Get-SPWebApplication "WebAppURL"
 $tp =Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
 Convert-SPWebApplication -id $wa -To CLAIMS-TRUSTED-DEFAULT -From CLAIMS-WINDOWS -TrustedProvider $tp -RetainPermissions

Convert-SPWebApplication command got completed successfully. I checked and verified that all existing users in the web application have migrated to correct claims identity now, that is, "i:05.t|id-provider|UserEmail". However when they try to access the site, they get access denied.

But if I add the same user as a new user to the site collection, the user is able to access the site without any issue.

I'm not sure what mistake I did,as new users are able to access but the existing/migrated users are not able to access. Can someone guide me? Perhaps some changes to web.config file?

office-sharepoint-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am currently looking into this issue and will give you an update as soon as possible.

Thank you for your understanding and support.

0 Votes 0 ·

1 Answer

YiLu-MSFT avatar image
0 Votes"
YiLu-MSFT answered

Hi @GeorgeThomas-9228
I find an article about migrating users from Windows Claims to Trusted Identity provider(SAML) without using powershell:
https://adamsorenson.com/sharepoint-20132016-migrate-from-windows-claims-to-adfs/

If you want to get a certain confirmation, I suggest you open a ticket with Microsoft to confirm.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.